Attorney John Durso, Ungaretti & Harris LLP

Someone leaked sensitive patient information to the press after we had a recent fire here. What steps can/should we take to investigate or determine who the leak was? 

If you are in a skilled nursing facility, and if the information leaked contained protected health information (“PHI”) about a resident, then the issue falls under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulations.

The facility’s human resources manager should work with its HIPAA Privacy/Security Officer to investigate any leak. The facility also should analyze whether a HIPAA breach occurred and whether it is reportable. The facility should take whatever action it can to mitigate any further disclosure.

If the facility is not subject to HIPAA, it may still be required to comply with state privacy laws, including provisions in statutes licensing the particular facility, as applicable.

PHI includes information created or received by a skilled nursing facility relating to the health or care given to someone when the information identifies the individual. 

The skilled nursing facility should have HIPAA policies and procedures in place. These policies should include a sanctioning policy that addresses improper uses and disclosures of PHI. Your HIPAA and confidentiality policies should tell  employees that discipline, including being fired, will be imposed for policy violations.