DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Required HIPAA breach notification or political dirty trick?

Posted on January 15, 2014 by Dissent

Okay, this is a bit different.

On January 4, Coulee Medical Center in Grand Coulee, Washington, posted this notice on its web site:

This notice is posted pursuant to federal Health Insurance Portability and Accountability Act of 1996 breach notification regulations found at 45 CFR Parts 160 and 164 and the Health Information Technology for Economic and Clinical Health Act Section 13402(e)(1). 

On Nov. 5, 2013, it was discovered that a Coulee Medical Center employed physician had shared certain patient information with his wife. The information shared includes: patient account number (a number used solely by the hospital for purposes of identification), date of service, CPT code and description of health care services that the patient received at Coulee Medical Center. The information that was accessed may have, in some instances, also included the patient’s name.

Coulee Medical Center has taken measures to prevent further access to this information. Coulee Medical Center is committed to providing quality care and protecting patients’  personal information, and apologizes for the inconvenience and concern this may be for affected patients.

The affected patients will receive direct mail correspondence from Coulee Medical Center. If you have questions about this incident or concerns about how it may impact you, please contact the Coulee Medical Center Privacy Officer at (509) 633-1753.

Although I haven’t yet found a copy of the actual notification letter mailed to patients, at least one recipient was not appreciative at all. And the doctor in question, who reportedly was not named in the letter sent to patients, publicly responded and indicated that he felt the medical center had unfairly tarnished his reputation:

In an interview, Dr. Andrew Castrodale said the “HIPAA” notice, made under the federal Health Insurance Portability and Accountability Act, implied the work had been about figuring out bonus pay, but was actually meant to devise a reliable tool for measuring and reporting the efficiency and productivity of health care providers at Coulee Medical Center.

Although it did not name Castrodale, the “Notice of Patient Privacy Breach” that arrived in mailboxes Jan. 3 and 4 said the doctor had improperly shared patient information with his wife.

Castrodale said his wife, Sherril, is an actuary, and was helping him build a standardized statistical tool that could be used by Coulee Medical Center.

“None of this has to do with anyone’s medical history,” he said.

I find it somewhat shocking that a physician would suggest that PHI that includes CPT codes, description of services, and in some cases, patients’ names, is not covered by HIPAA or that this was not a big deal – particularly in a small town where people might be recognized by unusual conditions or services.

In any event, unless the physician wishes to claim that PHI is not PHI, it seems hat the doctor shared patients’ PHI with his wife without authorization or consent of the patients. However noble his intentions, and however much he believes the medical center may have misrepresented his motivation, unless he had consent or a HIPAA waiver, I think it’s pretty clear he did violate HIPAA’s Privacy Rule.

That said, was the hospital’s notification accurate and appropriate? Did they have an obligation to explain to recipients that the disclosure to the doctor’s wife was reportedly so she could provide actuarial advice? Was this, as some of have suggested, a political dirty trick to discredit the doctor? The incident wound up contributing to the medical center hiring new legal counsel:

A majority of hospital district commissioners voted Thursday to immediately hire new legal counsel, then went into closed session with the new attorney.

Commissioner Jerry Kennedy said the board’s reasons for changing attorneys had been compounded the week before when the hospital administration mailed a notice of a privacy breach, reportedly to thousands, saying a doctor had violated federal patient privacy rules.

“One of the hopes that I had was that … having legal counsel involved in that would help minimize reputational damage to the institution and to staff that might be potentially involved,” Kennedy said. “I didn’t feel, as a lot of people didn’t feel, that that happened.”

The HIPAA notice, made under the Health Insurance Portability and Accountability Act, came at a time when the hospital administration has been at seemingly irreconcilable odds with its doctors, who have expressed no confidence in administration.

So how does a political controversy factor into a HIPAA breach notification? It shouldn’t, of course, and if the medical center did not give patients the information they needed to assess their risk of harm because of any secondary or political agenda, then that’s problematic.

I’d love to see what HHS does with this one if they get all the facts.  But this is also a useful reminder of why covered entities should consult with lawyers and experts on breach response before making any statements or sending out any notification letters.

Category: Health Data

Post navigation

← ACLU In Court Today: Defending Medical Records from Warrantless Search
Pointer: A First Look at the Target Intrusion, Malware – Krebs →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Evoke Wellness to Pay $1.9 Million to Settle FTC Claims That They Misled Consumers Seeking Substance Use Disorder Treatment
  • Former Hilliard treatment center employee accused of selling patient data on dark web
  • Trump Rewrites Cybersecurity Policy in Executive Order
  • AMI Group – Travel & Tours notice of ransomware attack
  • Resource: Insider Threat reports
  • Za: Cyber extortionist sentenced to eight years in jail
  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Privacy Victory! Judge Grants Preliminary Injunction in OPM/DOGE Lawsuit
  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report