Rush University Medical Center’s 2019 Privacy Breach Incident

Yahitza Nuñez

Associate Editor

Loyola University Chicago School of Law, LL.M. 2019

In March 2019, Rush University Medical Center (“Rush University”) sent out breach notification letters to approximately 45,000 patients. The letter advises patients that a privacy incident occurred that may have involved the patients’ personal information. The privacy incident was caused by an employee of a third-party financial services vendor. The employee released a file that contained patient information to an unauthorized person. According to the breach notification letter, law enforcement and regulatory officials were involved in the investigation of the privacy incident. Rush University sent the breach notification letter in compliance with the Health Insurance Portability and Accountability Act’s privacy and security rules.

Health Insurance Portability and Accountability Act Privacy Rule Overview

The Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities and business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use or disclose protected health information (PHI). PHI is defined as “individually identifiable health information.” The information can include any demographic information that is collected from an individual that was created or received by a healthcare provider, plan or clearinghouse. The information must relate to: (1) the past, present or future physical or mental health condition, (2) healthcare services, or (3) payment for healthcare services. In order to qualify as PHI, the information must identify the individual or could be used in combination with other information to identify the individual. The unauthorized release of patient information may be a breach under HIPAA. If a breach has occurred that involves unsecured PHI, the entity may be required to provide breach notification letters to affected individuals.

Security Rule Risk Analysis

A breach involving unsecured PHI also raises a presumption of a reportable breach unless the entity is able to demonstrate that there is a low probability that the PHI has been compromised. In order to determine whether a breach occurred, an entity should consider the following four factors:

  1. the nature and extent of PHI involved;
  2. whether the identity of the person who accessed or acquired the PHI or to whom the PHI was disclosed;
  3. whether the PHI was actually or viewed; and,
  4. the extent the risk to the PHI has been mitigated.

First, when considering the nature and extent of the PHI involved, the entity should assess the types of identifiers involved and the likelihood of reidentification. The identifiers involved refers to whether the PHI contains name of the individual, date of birth or social security number. The entity should assess whether the information contains any financial, demographic, clinical or behavioral data. There should also be a consideration of whether there is any risk of identity theft or financial fraud that could arise from the disclosure of the information.

Second, when considering whether the identity of the person who accessed or acquired the information, the entity should assess whether the person had a legal obligation to protect the privacy of the information. Assessing the legal obligation of the individual takes into consideration whether the individual was an employee, contractor, sub-contractor of the covered entity, or if the individual was within any of these categories for a business associate. Another point of consideration is whether the individual who access or acquired the information had the ability to re-identify the PHI. The entity should also consider to whom the information was disclosed.

Third, the entity should assess whether the information as actually acquired or viewed. The privacy incident may simply reveal that there is a weakness in the privacy and security protections of the entity.

Last, the entity should consider the steps and the extent to which the risk to release of PHI has been mitigated. Mitigation factors to consider will include whether the recipient of the PHI provided the entity any satisfactory assurances or the level of the effort expended to prevent future issues and/or lessen the harm.

Once the entity has considered each factor, the entity should determine whether there was a low probability that the PHI was compromised. If there is a low probability of compromised PHI, the entity is not required to provide a breach notification letter. However, if the entity is unable to show a low probability of risk of compromise, the entity must provide the individuals affected a breach notification letter. The low probability factor consideration provides the instances in which an entity must provide breach notification letter. Yet, it is always within the entity’s power to determine whether they would provide the affected individuals notification even if there is a low probability of risk the PHI has been compromised.

Corporate Culture of Privacy

In order to ensure a corporate culture of privacy, the entity should strive to ensure that all employees, contractors or subcontractors are aware of their responsibilities. First, the entity can establish policies and procedures that provide their employees with expectations and steps to follow when a patient’s privacy is at issue. The entity’s policies should establish the expectations that are placed onto the employee when put into a difficult situation that would affect PHI. The entity’s procedures should lay out the steps that each employee will take in order to protect a patient’s PHI and also the steps that should be taken if a patient’s PHI is disclosed. The procedures should address an employee’s inadvertent access or acquiring of PHI, as well as the purposeful actions of an employee.

Second, the entity should establish training for their employees. The training should provide an overview of the federal statutes and regulations that establish the entity’s and the employee’s legal responsibility to comply. Additionally, the training should cover difficult scenarios that may affect an employee.

Last, employees should be made aware of the contact information and reporting procedures for privacy incidents. The contact information for the compliance department and the reporting hotline information should be provided. Ensuring that each employee is aware of their responsibility to report privacy incidents will help the entity create a culture of privacy.