- The North Texas Comprehensive Spine and Pain Center told 3,000 patients last week of a recent data breach in which it lost a computer drive containing patient medical records back in June.
According to kten.com, the compromised data included names, Social Security number, birthdays, home addresses and diagnoses. Though the organization doesn’t believe that any patient data was used inappropriately, it told patients to check up on their bank accounts and credit reports in case any identities were stolen.
On its site, North Texas Comprehensive Spine and Pain Center offered examples its HIPAA Privacy Notice of how it can use and disclose protected health information (PHI):
Treatment – Means the provision, coordination, or management of your health care, including consultations between doctors, nurses, and other providers regarding your care, and referrals for care from one provider to another. For example, we may disclose your protected health information to a cardiologist if we are concerned that you have a heart problem.
Payment – Means the activities we carry out to bill and collect for the treatment and services provided to you. For example, we may provide information to your insurance company about your medical condition to determine your current eligibility and benefits. We may also provide PHI to outside billing companies and others that process health care claims.
Health Care Operations – Means the support functions that help operate the hospital such as quality improvement, case management, responding to patient concerns, and other important activities. For example, we may use your PHI to evaluate the performance of the staff that cared for you.
In addition to using and disclosing your protected health information for treatment, payment, and health care operations, we may use your information in the following ways:
Appointment Reminders and Health-Related Benefits or Services – We may use PHI to contact you for a medical appointment or to provide information about treatment alternatives or other health care services that may benefit you.
Disclosures to Family, Friends and others – We may disclose your PHI to family, friends, and others identified by you as involved in your care or the payment of your care. We may use or disclose PHI about you to notify others of your general condition and location in the facility after a procedure. We may also allow friends and family to act for you and pick-up prescriptions, X-rays, etc. when we determine it is in your best interest to do so. If you are available, we will give you theopportunity to object to these disclosures.
To Avoid Harm – As permitted by law and ethical conduct, we may use or disclose protected health information if we, in good faith, believe the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, or is necessary for law enforcement to identify or apprehend an individual.
Fundraising Activities – We may contact you as part of our fundraising activities, as permitted by law.
Marketing Activities – We may contact you as part of our marketing activities, as permitted by law.
Research Purposes – In certain circumstances, we may use and disclose PHI to conduct medical research. Certain research projects require an authorization which will be made available to you prior to using your PHI.
Law Suits & Disputes – If you are involved in a law suit or dispute, we may disclose health information about you in response to a court or administrative order. We may also disclose health information in response to a subpoena, discovery request, or other process by others involved in the dispute. We will only disclose information with assurance that efforts were made to inform you about the request or to obtain an order protecting the information requested.
Required by Law Enforcement – We may release health information about you if asked to do so by law enforcement in response to a court order, subpoena, warrant, summons, or similar process. We also may disclose information to identify or locate a suspect, fugitive, material witness, or missing person. In addition, we may disclose information about a crime victim or about a death we believe may be the result of criminal conduct. In emergency situations, we may disclose PHI to report a crime, to help locate the victims of the crime or to identify/describe/locate the person who committed the crime.
Incidental Disclosures – We may make incidental uses and disclosures of your protected health information. Incidental uses and disclosures may result from otherwise permitted uses and disclosures and cannot be reasonably prevented. Having your name called aloud by a staff member in the Emergency Department is an example of an incidental disclosure.
Disaster Relief – When permitted by law, we may coordinate our uses and disclosures of protected health information with other organizations authorized by law or charter to assist in disaster relief efforts. For example, a disclosure of PHI may be made to the Red Cross or a similar organization in an emergency.