TriHealth Notifies 2,433 Patients of Impermissible PHI Disclosure

TriHealth is in the process of notifying 2,433 patients that their protected health information (PHI) has been impermissibly disclosed to a student mentee in June 2018.

TriHealth, a unified health system based in Cincinnati, Ohio, revealed that a student was provided with sensitive information of nearly 2,500 patients. The data was provided on June 8 and June 9 2018, during which time the student was under the direct supervision of a TriHealth physician who is no longer in employment at the organization. The physician had been using the information for a research project.

The patient information provided included first and last names, dates of birth, ethnicity, life status, cancer diagnosis information, and zip codes. Neither Social Security numbers nor financial information was shared with the student.

As the student was not an employee of TriHealth, they were not authorized to view the data. Therefore, when the physician disclosed the patient information to the student, this constitutes a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s Privacy Rule states that only individuals with the correct authorization are permitted to view or use patient data.

TriHealth does not believe that there were any further uses or disclosures of patient information nor that any patient information has been misused. PHI was accessed solely concerning the potential research project.

However, as the disclosure was a breach of HIPAA, TriHealth has followed the Breach Notification Rule and sent breach notification letters to all affected patients. However, as they said that the information affected by the breach does not heighten the risk of identity theft or fraud, they have not offered identity theft protection services to affected patients. However, out of an abundance of caution, TriHealth does recommend patients to carefully monitor their insurance statements to be sure they are not defrauded.

Since the student was not an approved TriHealth workforce member, access to patient information was prohibited. As such, this was an impermissible disclosure of patient information which warranted breach notifications to be issued to affected patients. Those notification letters have now been sent.

“TriHealth team members are educated to privacy policies when they are hired and provided with annual re-education. Employees are held accountable to TriHealth policies and violation results in corrective action, up to and including discharge from employment. This process was followed for the above matter,” a hospital spokesperson said in a news release.