- Information from 1,918 Colorado Medicaid patients was breached after a temporary employee from outside contractor Colorado Community Health Alliance (CCHA) sent the information to his or her own personal email address, according to reports from The Denver Channel and The Pueblo Chieftain. The Colorado Department of Health Care Policy and Financing (the Department) believes that the information may have been intended for the employee’s use in another business.
The information, which is protected under HIPAA, includes patient names, date of birth, addresses, telephone numbers, health conditions, and Medicaid identification numbers. Social Security numbers were not involved. Based recent changes with the HIPAA Omnibus Rule, CCHA, though not a healthcare provider, is responsible for protecting patient information as a Colorado Medicaid business associate (BA) or subcontractor. Because of that connection to the patient data, CCHA should have had a business associate agreement (BAA) in place.
Business associates are third parties that provide services involving the use of protected health information (PHI) for a covered entity. All BAs must have a business associate agreement with the covered entity, and under the contract are prohibited from further disclosing PHI. BAAs also determine which party is responsible for notifying patients, the government, and media in the event of a breach, as well as the party responsible for paying associated penalties. A BAA between CCHA and Medicaid, if they do have one, could leave CCHA responsible for HIPAA violation fines.
The email was sent on November 21, and found during an audit the next day. The employee was immediately terminated. It is not clear if he or she will face charges.
Affected patients are being notified by mail. Both the Department and the CCHA are investigating the incident, and are adding undisclosed email communication and employee conduct policies to avoid future breaches.
PHIPrivacy.net also reported on the situation.