The Medical Center of Aurora Data Breach (2014)

A patient who was recently discharged from The Medical Center of Aurora claims that she was also given the medical information of 20 other patients in her file. The Colorado-based hospital allegedly gave Karen Billings seven pages of operating room records after her Nov. 22 hospital release, according to a Fox31 report. Billings told the news station that along with her own discharge information, she had paperwork with protected health information (PHI) of other patients. The data included patient names, dates of birth, the doctors name, the procedure done, and the prescribed medication.Medical Record Privacy I was shocked. I was mad. I was hurt that I had somebody elses information, Billings said. I wouldnt want my stuff out there. Billings added that when she was first leaving the hospital, she noticed extra paperwork with the information of other patients. Her doctor was mortified, according to Billings, and a nurse took her file and removed the records. However, when she looked at her file the next day, Billings said she found that there was still paperwork with other patients PHI. The Medical Center did not reach out to affected patients, according to Fox31, until the station reached out to them and started asking questions. In a statement, the healthcare organization said that it takes the protection of patients private information very seriously. We were made aware that one days surgery schedule was mistakenly given to a patient on November 22nd and, per policy, our Facility Privacy Official immediately began an internal investigation and we are notifying the affected patients, the statement read. We are committed to protecting the privacy of our patients and are reviewing internal procedures to determine additional safeguards we should implement. Three individuals whose information was allegedly in the paperwork given to Billings spoke with Fox31. Each person said they were shocked that they were first notified by the media, rather than the Medical Center of Aurora. If the doctor knew about it, the administrators knew about it, the hospital knew about it, then they shouldve been proactive instead of waiting, trying to hide it, Scott Anderson told the news station. While it is not yet clear if a HIPAA violation took place, or what process The Medical Center of Aurora used, it is important to keep in mind what constitutes a breach and how healthcare organizations are required to notify individuals. Individual notifications of a potential HIPAA violation must be given without reasonable delay and no later than 60 days after the discovery of a breach, according to the Department of Health & Human Services (HHS). Media outlets are only required to be notified if the breach affects more than 500 state residents. There are three exceptions to what constitutes a breach, according to HHS. The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. Additionally, the inadvertent disclosure of PHI by an authorized individual to another person with authorized access at the covered entity or business associate would be an exception. Finally, it would not be considered a HIPAA breach if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.