Griffin Hospital's response plan regarding a recent breach of protected health information (PHI) was simple: Tell it like it is. Comply with HITECH breach notification requirements.
"We've always had a history of being transparent with our public reporting," Bill Powanda, vice president at Griffin and the hospital's spokesperson for the incident, tells HealthLeaders Media.
The breach at the 160-licensed-bed facility in Derby, CT, involves allegations that a radiologist formerly affiliated with Griffin improperly had access to the records of nearly 1,000 of the hospital's patients.
Connecticut Attorney General Richard Blumenthal confirmed his office is investigating the case.
Powanda says Griffin was honest with its patients and also complied with HITECH breach notification requirements by:
- Notifying the HHS secretary
- Notifying patients who have had their PHI accessed in the breach
- Disclosing the information to the local media
- Posting information about the breach on Griffin's Web site
- Notifying the Connecticut AG's office
Powanda says Griffin's transparency is part of its "Planetree model," the philosophy that includes the effort to "foster education and communication," according to Griffin's Web site.
"We believe in transparency," Powanda says. "It's part of our Planetree model. It's about openness, disclosure, and empowering the patient through information."
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, tells HealthLeaders Media it appears Griffin Hospital did all the right things in its breach response.
Griffin's level of transparency, he says, "shows that the organization is well intentioned in getting information out to those that are affected so as to salvage its reputation of goodwill in serving its customers."
It is paramount, Ruelas says, that covered entities be able to "tell a good story when it comes to showing their compliance efforts, especially during the time when addressing a breach and the associated requirements to include the prescribed breach notifications."
"This shows that an organization is committed well beyond just drafting policies to fill a policy binder on a bookshelf or policy folder on a computer file server," Ruelas adds.
Griffin's strong response to the breach does not overshadow that nearly 1,000 patient records may have been inappropriately accessed.
From February 4 to March 5, Griffin said an investigation revealed a radiologist previously affiliated with the hospital or on the hospital's medical staff used the passwords of other radiologists and an employee within the radiology department to gain access to 957 patient radiology reports on the hospital's Digital Picture Archiving and Communication System (PACS). The reports included patient name, exam date, exam description, gender, age, medical record number, and date of birth, according to the facility.
"Though there are certainly some questions that Griffin will have to answer with respect to its own practices and safeguards that may have detected or even possibly prevented this breach," Ruelas says, "the transparency can give the impression that the organization, as are those who are affected, is intent on finding answers to very critical questions."
Griffin President Patrick Charmel defends his hospital's practice of securing patient information in its Web site statement:
"Griffin Hospital has stringent policies, procedures, and systems in place to protect patient information and takes very seriously our obligation to safeguard the personal and health information of our patients," Charmel says. "This breach, however, appears to have been a deliberate intrusion into Griffin's PACS to view patient radiology reports. We acted quickly to complete an audit and investigation and to notify affected patients. As a result of this breach, steps are underway to further strengthen the security of patient information."
The HITECH breach notification requirements can be found in the interim final rule published in the Federal Register August 24, 2009.
The rule states that:
- Covered entities (CE) must notify affected patients "without unreasonable delay," but no later than 60 days after the CE discovers or should have discovered the breach or from the time a business associate (BA) notifies the CE of a breach
- BAs must notify CEs when they discover a breach
- Breaches affecting 500 or more patient records require notice to the secretary of HHS and prominent media outlets serving a state or jurisdiction
- Breaches affecting deceased patients required notice to next of kin
- Notices must describe what occurred; details of the unsecured, breached PHI; steps to help mitigate harm to patients; and the CE's response
- Breaches of unsecure PHI affecting fewer than 500 patient records require annual notice to the secretary of HHS 60 days after the end of the reporting year
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.