What do you do when you discover your radiology practice may have accidentally released personal health information about your patients? For Springfield, Mo., practice Litton and Giddings Radiological Associates, P.C. (LGRA), one of the first steps was to get professional communications help.
When LGRA discovered earlier this month that papers printed with its patient billing data had been sent to a recycling facility without the papers first being shredded, the practice hired the services of a global PR firm, Hill+Knowlton Strategies to make sure that its version of events was the first one reported. The company then established a 24-hour, live-staffed helpline for any questions from either patients or the media.
According to the press release LGRA sent out, “a miscommunication between its billing company and janitorial provider” meant that patient paper billing records were “inadvertently sent” to a recycling center without first being shredded. The company maintains that “there is no indication that any patient information has been misused.”
Althea Holly, a communications support representative for Hill+Knowlton whose name is listed as the point of contact for LGRA on its website, told Imagingbiz that the firm works with “multiple clients in different industries” to provide both general and crisis-related media assistance, and that she specifically has worked on previous breaches of Health Insurance Portability and Accountability Act (HIPAA) protected personal health information.
“We took the appropriate steps based on the HIPAA law to notify potentially affected patients,” Holly said, citing “video surveillance” at the billing provider site that allowed LGRA to “identify the two days when this actually happened.”
In its press release, LGRA announced that its patients were notified by mail of the breach (and even the date when they could expect to receive the letter), and advised patients “to be vigilant to the possibility of any misuse of their information.”
A news report televising the breach carried the theme LGRA had put forth in its press release on the matter, chalking up its assessment of the unlikely risk of danger associated with the breach to “an overabundance of caution.”
Maybe this case was an easy test—after all, the breach happened offsite, as the result of indirect negligence on behalf of two peripherally related service providers—but with savvy handling of the incident, LGRA has likely mitigated its own risk of losing confidence with patients, and more importantly, kept up with its obligations under the law.
The later point, meeting the obligations of the law, should not be underestimated. According to an October 9 study by the Office of the Inspector General (OIG), the Centers for Medicare and Medicaid Services (CMS) itself usually failed to meet the legal requirements in 14 breaches of protected health information requiring notification under the Recovery Act between September 23, 2009, and December 31, 2011.
In those incidents, the nearly 14,000 Medicare beneficiaries affected were notified, but not as quickly as required by the Recovery Act in half the instances, the OIG found. Moreover, the report says that the patient notifications provided “often were missing required information,” like the methods of investigating the privacy breach, actions taken to prevent future breaches, and sometimes even the date of the occurrence.
“Notification letters for three breaches did not include the types of unsecured protected health information involved, contact procedures for individuals who want to learn more, or steps individuals can take to protect themselves from harm,” the report says.