Coulee Medical Center Data Breach (2013)

On January 4, Coulee Medical Center in Grand Coulee, Washington, posted this notice on its web site: This notice is posted pursuant to federal Health Insurance Portability and Accountability Act of 1996 breach notification regulations found at 45 CFR Parts 160 and 164 and the Health Information Technology for Economic and Clinical Health Act Section 13402(e)(1). On Nov. 5, 2013, it was discovered that a Coulee Medical Center employed physician had shared certain patient information with his wife. The information shared includes: patient account number (a number used solely by the hospital for purposes of identification), date of service, CPT code and description of health care services that the patient received at Coulee Medical Center. The information that was accessed may have, in some instances, also included the patients name. Coulee Medical Center has taken measures to prevent further access to this information. Coulee Medical Center is committed to providing quality care and protecting patients personal information, and apologizes for the inconvenience and concern this may be for affected patients. The affected patients will receive direct mail correspondence from Coulee Medical Center. If you have questions about this incident or concerns about how it may impact you, please contact the Coulee Medical Center Privacy Officer at (509) 633-1753. Although I havent yet found a copy of the actual notification letter mailed to patients, at least one recipient was not appreciative at all. And the doctor in question, who reportedly was not named in the letter sent to patients, publicly responded and indicated that he felt the medical center had unfairly tarnished his reputation: In an interview, Dr. Andrew Castrodale said the HIPAA notice, made under the federal Health Insurance Portability and Accountability Act, implied the work had been about figuring out bonus pay, but was actually meant to devise a reliable tool for measuring and reporting the efficiency and productivity of health care providers at Coulee Medical Center. Although it did not name Castrodale, the Notice of Patient Privacy Breach that arrived in mailboxes Jan. 3 and 4 said the doctor had improperly shared patient information with his wife. Castrodale said his wife, Sherril, is an actuary, and was helping him build a standardized statistical tool that could be used by Coulee Medical Center. None of this has to do with anyones medical history, he said. I find it somewhat shocking that a physician would suggest that PHI that includes CPT codes, description of services, and in some cases, patients names, is not covered by HIPAA or that this was not a big deal particularly in a small town where people might be recognized by unusual conditions or services. In any event, unless the physician wishes to claim that PHI is not PHI, it seems hat the doctor shared patients PHI with his wife without authorization or consent of the patients. However noble his intentions, and however much he believes the medical center may have misrepresented his motivation, unless he had consent or a HIPAA waiver, I think its pretty clear he did violate HIPAAs Privacy Rule. That said, was the hospitals notification accurate and appropriate? Did they have an obligation to explain to recipients that the disclosure to the doctors wife was reportedly so she could provide actuarial advice? Was this, as some of have suggested, a political dirty trick to discredit the doctor? The incident wound up contributing to the medical center hiring new legal counsel: A majority of hospital district commissioners voted Thursday to immediately hire new legal counsel, then went into closed session with the new attorney. Commissioner Jerry Kennedy said the boards reasons for changing attorneys had been compounded the week before when the hospital administration mailed a notice of a privacy breach, reportedly to thousands, saying a doctor had violated federal patient privacy rules. One of the hopes that I had was that having legal counsel involved in that would help minimize reputational damage to the institution and to staff that might be potentially involved, Kennedy said. I didnt feel, as a lot of people didnt feel, that that happened. The HIPAA notice, made under the Health Insurance Portability and Accountability Act, came at a time when the hospital administration has been at seemingly irreconcilable odds with its doctors, who have expressed no confidence in administration. So how does a political controversy factor into a HIPAA breach notification? It shouldnt, of course, and if the medical center did not give patients the information they needed to assess their risk of harm because of any secondary or political agenda, then thats problematic. Id love to see what HHS does with this one if they get all the facts. But this is also a useful reminder of why covered entities should consult with lawyers and experts on breach response before making any statements or sending out any notification letters.