Federal regulations requjire substitute notice when notification by postal mail or other direct means cannot be made, but I cannot recall ever seeing a substitute notice that announced it was only being made for one particular patient. The following was published by the Oregon Health & Science University:
On May 16, 2022, a computer belonging to a workforce member was stolen. The device contained a document with the patient’s health information including: the patient’s full name, age, diagnoses, condition, lab results, medications and other treatment information. The disclosed information did not include the patient’s financial information, date of birth, or social security number.
Despite exhausting all possible contact options, OHSU was unable to directly notify this patient due to out-of-date contact information (no known home address, phone number, email address, and MyChart account not activated). The impacted patient received services from OHSU during the period of May 2020 to June 2020.
Please contact the OHSU Information Privacy and Security Office at 503-494-0219 or [email protected] if you have any questions about this post.