Transparency is Key When Dealing with Health Information Breaches
Griffin Hospital's response plan regarding a recent breach of protected health information (PHI) was simple: Tell it like it is. Comply with HITECH breach notification requirements.
"We've always had a history of being transparent with our public reporting," Bill Powanda, vice president at Griffin and the hospital's spokesperson for the incident, tells HealthLeaders Media.
The breach at the 160-licensed-bed facility in Derby, CT, involves allegations that a radiologist formerly affiliated with Griffin improperly had access to the records of nearly 1,000 of the hospital's patients.
Connecticut Attorney General Richard Blumenthal confirmed his office is investigating the case.
Powanda says Griffin was honest with its patients and also complied with HITECH breach notification requirements by:
- Notifying the HHS secretary
- Notifying patients who have had their PHI accessed in the breach
- Disclosing the information to the local media
- Posting information about the breach on Griffin's Web site
- Notifying the Connecticut AG's office
Powanda says Griffin's transparency is part of its "Planetree model," the philosophy that includes the effort to "foster education and communication," according to Griffin's Web site.
"We believe in transparency," Powanda says. "It's part of our Planetree model. It's about openness, disclosure, and empowering the patient through information."
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, tells HealthLeaders Media it appears Griffin Hospital did all the right things in its breach response.
Griffin's level of transparency, he says, "shows that the organization is well intentioned in getting information out to those that are affected so as to salvage its reputation of goodwill in serving its customers."
It is paramount, Ruelas says, that covered entities be able to "tell a good story when it comes to showing their compliance efforts, especially during the time when addressing a breach and the associated requirements to include the prescribed breach notifications."
"This shows that an organization is committed well beyond just drafting policies to fill a policy binder on a bookshelf or policy folder on a computer file server," Ruelas adds.
Griffin's strong response to the breach does not overshadow that nearly 1,000 patient records may have been inappropriately accessed.
From February 4 to March 5, Griffin said an investigation revealed a radiologist previously affiliated with the hospital or on the hospital's medical staff used the passwords of other radiologists and an employee within the radiology department to gain access to 957 patient radiology reports on the hospital's Digital Picture Archiving and Communication System (PACS). The reports included patient name, exam date, exam description, gender, age, medical record number, and date of birth, according to the facility.
"Though there are certainly some questions that Griffin will have to answer with respect to its own practices and safeguards that may have detected or even possibly prevented this breach," Ruelas says, "the transparency can give the impression that the organization, as are those who are affected, is intent on finding answers to very critical questions."