Updated Sept. 5, 2018.
Let’s start with BHCHP’s substitute notice:
Boston, MA – In mid-March 2018, a lapse in security led to a possible breach of the Protected Health Information (PHI) of patients of Boston Health Care for the Homeless Program’s (BHCHP’s) clinic at St. Francis House (SFH) in Boston.
A shelter guest trespassed into the clinic on the night of March 13. The event was reported to law enforcement, who did not detain the intruder. BHCHP’s comprehensive investigation found no evidence that the intruder viewed or retained PHI.
Health information involved in the possible breach included handwritten staff notes, printed patient lists, referral forms, and insurance/benefits applications.
BHCHP is not aware of any misuse of patient information, but is notifying patients who may have been affected by the possible breach. Patients with questions about the possible breach may call BHCHP toll free at 888-328-7893. BHCHP recommends that patients who have accessed care or services at the SFH clinic monitor their credit reports and/or report any suspicious activity to local law enforcement. Individuals may request a free copy of their credit report by visiting annualcreditreport.com, or by calling 1-877-322-8228.
BHCHP conducted an internal investigation that included a comprehensive search of all parts of the SFH clinic to which the intruder would have had access and interviews with clinic and shelter staff. BHCHP then performed a detailed analysis of the evidence that the investigation surfaced. BHCHP also promptly ensured that the clinic door was secure and implemented extra safety measures, including an additional lock on internal doors within the clinic and secure storage of keys to internal doors, file cabinets, and storage cabinets. In addition, BHCHP updated its policies governing how staff use and store patient information.
For more information, please call the toll free number (1-888-328-7893) to speak with a BHCHP Compliance Officer or senior manager.
Sept. 5 update:
I spoke with legal counsel for BHCHP today, who explained that they decided to notify everyone of this incident in the proverbial “abundance of caution.” As I understand it, the door between the shelter and the clinic may have not been securely closed and a shelter resident wandered into the clinic, likely looking for a quiet place. There was never any indication that the individual was looking to take anything or to snoop in any records in the clinic. So… was this a reportable breach under HIPAA? I’m not a lawyer, but this really doesn’t seem like a breach to me as much as an accidental trespass with no harm, no foul. But I do understand the desire to err on the side of caution when it comes to reporting to regulators. The delay between the incident and the notification, I was told, was due to the need to go through everything so that everyone could be notified. Given that there were a lot of paper records, it was a time-consuming task.