Perhaps the Office for Civil Rights (OCR) was so specific with subcontractor language and breach notification amendments in the HIPAA omnibus rule for good reason. Similar to many recent healthcare data breaches, River Falls Medical Clinic notified about 2,400 clients of a breach that was tied to a subcontractor, in this case an outside cleaning service employee who stole patient records during the summer of 2012.
The OCR went into great detail in the HIPAA omnibus about how responsibility has expanded in business associate agreements and organizations need to be more careful in selecting subcontractors. It will be interesting to see if the new rules have any effect subcontractor-related breaches. It is unclear when clinic reported the theft to the police but, according to PierceCountyHerald.com, the River Falls, Wis. police found the records containing protected health information (PHI) in the home of the suspect, Gordon A. Eckes II, on Nov. 28. The compromised PHI included some Social Security numbers, patients’ first and last names, date of birth, patient and billing account information such as diagnosis codes, scheduling information, insurance information, account numbers and medical chart numbers. This information has since been returned to the clinic.
This case is comparable to the Tallahassee Memorial HealthCare breach reported last week that involved a lack of governance for paper record de-identification, as apparently Eckes stole paper documents from clinic bins with documents that were meant to be shredded. While the clinic says that it verified the credentials of all of its cleaning staff and only clinic employees and the shredding company should have been able to retrieve the documents, these types of breaches back up the new HIPAA rules regarding subcontractors.
The Herald also reported that clinic has modified its document shredding policies and procedures, but didn’t elaborate on what exactly was going to change. It wouldn’t hurt if one of these days a healthcare organization that just experienced a breach was transparent about how exactly it plans on rectifying the situation.
So, what took so long for this to be announced? PHIPrivacy.net brings up three more questions about timing that have to be asked:
1. When did the clinic first learn that the records had been stolen? In November when the police returned them or at the time of the theft?
2. When and why did the clinic make the determination that the risk of harm was low? Did they investigate to determine whether any of the info had been used between the summer of 2012 and November when the records were returned?
3. When were patients notified of this incident? And if they were only recently notified, why the delay between discovery of the breach and notification?
River Falls Medical Clinic used AllClear ID, an identity protection service, to send out the notification letter. There will be a plea hearing at 8:30 a.m. Tuesday, Feb. 25, at the Pierce County Courthouse.