Even though it may not seem that the situation described in the case study is a significant threat, it should be treated as a breach of patients’ confidentiality. On the one hand, physical therapist accidentally accessed health records without authorization. On the other hand, this information was shared with a supervisor. Even though accidental access to health records is a violation of HIPAA standards, the situation with sharing this information is inconclusive. According to HHS (n.d.), “HIPAA permits health care providers to disclose to other health providers any protected health information (PHI) contained in the medical record about an individual for treatment, case management, and coordination of care” (p. 8). However, it is unclear if sharing information that was acquired by an accident is appropriate.
While there may be some ambiguity about the severity of the violation, the supervisor has a clear protocol she or he should follow. According to the HIPAA Journal (2017), any case of accidental disclosure of protected health information (PHI) is to be reported to the Privacy Officer. This implies that the supervisor needs to report the case to the Privacy Officer without trying to assess the violation to avoid errors. The Privacy Officer will need to assess the violation and associated risks of further disclosure. The Privacy Officer may choose to report the incident to the OCR or not depending on the results of the assessment. According to the HIPAA Journal (2017), there are three cases that are not regulated by the HIPAA Breach Notification Rule, and the Privacy Officer will need to check if the situation can be treated as one of such cases. If the situation is not an exception, OCR needs to be notified within 60 days from the discovery of the breach (HIPAA Journal, 2017). However, risk mitigation strategies should be applied to avoid further sharing of the information.
Reference
HHS. (n.d.). HIPAA privacy rule and sharing information related to mental health. Web.
HIPAA Journal. (2017). How should you respond to an accidental HIPAA violation? Web.