We have long said and stand by the mantra that one of the greatest assets of a healthcare practice, its personnel, is also one of the highest risk areas for compliance. As reported by
CBS and other local news sources, NRAD Medical Associates of Garden City has notified patients via a letter that a “now-former employee had unauthorized access to their personal information.” According to CBS, “as many as 97,000 files of current and former patients may have been accessed.”
The letter, which is available on NRAD’s website along with a Patient Q & A and by
clicking here, states in part that “a radiologist who was employed by NRAD at the time of the breach, bypassed security systems within the company’s billing and data systems to improperly access records and patient health information.”
So, what should you do if you find yourself in a similar situation? First, consult your legal counsel in order to determine what notifications, if any, need to be made and what information needs to be contained in any such notification. Counsel should also be engaged to consult with you regarding all other steps that need to be taken. Importantly, we do not recommend engaging with the Office of Civil Rights (“OCR”) without your attorney’s involvement.
There are a variety of steps than can be taken in response to a potential breach, some required and some recommended depending on your personal situation, circumstances surrounding the potential breach and discussions with counsel. According to
NRAD’s letter and Q & A , some of the steps that NRAD has taken in response to this situation include: an internal investigation, the involved employee is no longer employed at NRAD, the employee’s misconduct was reported to the appropriate authorities and government agencies for investigation, NRAD is working with OCR and other government agencies to “notify patients and to meet the requirements of the HIPAA Breach Notification Rule,” NRAD implemented “a series of enhanced security safeguards on our billing and patient databases,” provided information on how to place a fraud alert on credit reports and established a phone number for people to call with questions or concerns.
The steps taken by NRAD as well as additional or alternative responsive and preventative steps that you may elect to take, could help your practice to minimize any potential liability (monetary exposure) stemming from a potential breach, as well as help to prevent against future breaches. The first place to start is to ensure you have adopted
proper policies and procedures, including a
Breach Notification Policy for which training has been provided or coordinated for your staff.
Questions or concerns about patient privacy or potential breach? Contact
Erica (516 747 6700 x. 308,
EYoungerman@kirschenbaumesq.com) or
Jennifer (516 747 6700 x. 302,
Jennifer@kirschenbaumesq.com) to discuss.
