Being a covered entity means sometimes having to say you're sorry And when you add the accounting of disclosures provision to the mix, you've got all the more reason to notify and apologize to the affected individual for the error. According to David Ermer, an attorney with Gordon & Barnett in Washington, erroneous disclosures are considered accountable disclosures under HIPAA. But your responsibilities to the patient shouldn't just end there, says Donna Padnos, a senior management consultant with The Superior Consultant Company in Holly Springs, NC. In addition to logging the accidental PHI disclosure, your organization should contact those affected and let them know what happened and what you're doing to correct the mistake, she advises. If you're up front about the error, then your patient won't have to first learn of your mistake from the accounting report. As an example, Padnos refers to an August 2000 incident involving HMO-giant Kaiser Permanente. A programming glitch at a Kaiser facility in Maryland caused over 800 e-mails containing sensitive health information to be sent to the wrong recipient. Immediately after the error was spotted and fixed, Kaiser began contacting every single member affected by the accidental disclosure and apologized to them.
Nobody likes having to admit mistakes, but when your mistakes involve the accidental disclosure of an individual's protected health in-formation, you need to be forthcoming with your mea culpas.
What this means is if that your organization should mistakenly send out a patient's PHI to an unintended recipient, then you must be sure to record the incident in the patient's accounting log - after you've corrected the error, of course.
Padnos applauds Kaiser's response as a good model for any covered entity dealing with an accidental PHI disclosure: "Rather than sweeping it under the rug, you're actually up front, declaring it, letting them know that you're sensitive to their privacy, albeit you made a mistake."