- A mental health facility in Texas recently reported a potential PHI data breach that may affect over 11,000 patients.
El Paso-based Emergence Health Network (EHN) first announced on October 8, 2015 that one of its computer servers was assessed by an unauthorized user, potentially as far back as 2012. However, EHN stated that it first became aware of the inappropriate access on August 18, 2015. Information that is kept on the server in question includes first and last names, addresses, dates of birth, Social Security numbers, case numbers, and information indicating that individuals accessed services from Life Management Center/ El Paso MHMR/Emergence Health Network.
According to the data breach report sent to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR), 11,100 individuals were potentially affected by the PHI data breach.
“EHN quickly disconnected the computer server from the internet when the suspicious activity was discovered,” the statement read. “EHN is taking steps to keep this from happening again by using more secure methods for transmitting, maintaining, and safeguarding your protected health information. EHN is cooperating with state and federal agencies to report this breach.”
In a follow-up statement dated October 16, 2015, EHN added that a third-party audit found that “it is not apparent that any medical information was disclosed,” and there is no proof that the patient information was misused.
“EHN has also already taken appropriate steps to avoid the threat of future data security compromises and is cooperating with officials in minimizing the potential effects of this incident,” explained the second statement.
Even though EHN did not believe information was inappropriately accessed, it still cautioned in its data breach notification letter sent to patients that they should carefully monitor their credit reports, account statements, benefits notices, and medical records.
“We are sorry for any inconvenience this incident may have caused you,” the facility said. “EHN is doing everything we can to fix this and not have it happen again.”
It is essential that healthcare organizations that handle mental health records are also taking care to keep that information secure. Moreover, with potential legislation set to affect how HIPAA regulations account for mental health records, covered entities need to remain current on all requirements.
For example, The Helping Families in Mental Health Crisis Act was reintroduced by House Energy & Commerce Oversight and Investigations Subcommittee Chairman Tim Murphy (R-PA) and Rep. Eddie Bernice Johnson (D-TX) over the summer. The bill seeks to eliminate certain federal barriers to care and also clarify privacy standards for families and caregivers.
The bill also states that PHI disclosure shall only be provided if all of certain criteria is met for the disclosure by a physician, including but not limited to the following:
- Such disclosure is for information limited to the diagnoses, treatment plans, appointment scheduling, medications, and medication-related instructions, but not including any personal psychotherapy notes
- Such disclosure is necessary to protect the health, safety, or welfare of the individual or general public.
- The information to be disclosed will be beneficial to the treatment of the individual if that individual has a co-occurring acute or chronic medical illness.
However, there are still those who are opposed to the bill, citing patient privacy concerns. Orlando mental health counselor Burt Bertram told the Washington Post earlier this year that mental health records could also include information on family members and former spouses.
“If a broad base of health professionals had access to mental-health records that include psychotherapy notes, I am concerned about the potential for privacy violations . . . not only for the patient, but also for the others who are involved in the patient’s life,” Bertram said.