Managing inappropriate disclosures of protected health information made by third parties
Providence often contracts with providers, vendors, or business associates (third parties) who provide services that require access to the protected health information of Providence patients. On occasion, the provider, vendor, or business associate suffers an incident that may be a breach under the Health Information Technology for Economic and Clinical Health Act (HITECH Act.)
1. Who should make the determination whether an inappropriate disclosure was made by a third party? Providence or the third party?
The third party must make this determination since the third party is in a position to gather the information and perform an investigation of a possible disclosure made by an employee or agent of the third party. When appropriate, Providence may assist the third party in making this determination.
2. Does Providence expect to be notified of an inappropriate disclosure before the patient?
Yes. Providence has established a toll free Breach Reporting Hotline at 877-512-7119 that third parties can use to notify Providence of a potential inappropriate disclosure or breach. We ask that you let us know as soon as possible, but no more than 5 days after discovering the inappropriate disclosure.
3. Who should determine whether or not an inappropriate disclosure is a HITECH breach and whether the disclosure could result in significant risk of financial, reputational or other harm? Providence or the third party?
Generally, Providence as the covered entity should make these determinations as they are the ones with the relationship with the patient. Where appropriate, Providence may assist the third party in making this determination.
4. If the third party was responsible for an inappropriate disclosure and notice to the patient or government authorities is necessary, who should make those notifications? Providence or the third party?
The HITECH Act places the responsibility for notifying patients on covered entities. If the inappropriate disclosure occurs because of actions of provider who is not a Providence employee or a member of that provider’s staff, please call the Providence Integrity, Compliance and Privacy contact for your region for help determining who is responsible for notifying the patient and the government.