A website of the North Carolina Department of Health and Human Services (DHHS) that is intended to provide transparency regarding how government moneys are spent got a little too transparent recently when it displayed sensitive information belonging to more than 1,300 health care patients. DHHS inadvertently published PHI (protected health information), including patients’ names, addresses and payment amounts on NC Openbook, a state website designed to provide transparency for payments made to government vendors and contractors. Some of the information was especially sensitive, since it involved patients receiving mental health treatments. DHHS has issued an apology and sent notification letters to all of those affected. In addition, the agency notified the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS), as required by the HIPAA Breach Notification rules. As a result, this breach will appear on HHS’s “Wall of Shame” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html) where the HITECH Act requires all breaches affecting more than 500 individuals to be posted.
Unlike so many breaches caused by the accidental loss of a thumb drive or laptop, this breach demonstrates the need for ongoing training of employees who deal with PHI. Training is not just for new employees of an organization. It has to be an integral, ongoing part of every organization’s policies and procedures to avoid the kind of breach described here.
To see the WSOC TV story on this, click on: http://www.wsoctv.com/news/news/local/state-apologizes-patients-records-posted-internet/nbm86/.