Complaint
We received a complaint from an individual alleging that the Custodian disclosed their personal health information (PHI) to their ex-partner.
Investigation
Our investigation uncovered that the complainant’s privacy was breached not once, but twice. The first breach occurred when the Custodian included the complainant’s PHI in their child’s referral package that was sent to a specialist. The complainant’s ex-partner then received their child’s PHI from the Custodian in response to an access request, which included the complainant’s PHI - the second breach.
Decision
Noncompliant. The disclosure of the complainant’s PHI to the specialist was unauthorized because the Custodian relied on consent for the disclosure but had not documented that the complainant had consented. Additionally, the HIPMA requires that the minimum amount of PHI be disclosed to achieve the intended purpose. It was our view that the Custodian did not need to include the complainant’s PHI in the child’s referral, and it should have been removed.
When a custodian becomes aware of a security breach, they are required to assess the risk of significant harm, and if a risk exists, report the breach to our office, provide written notice to the affected individual, and assess what mitigation efforts can be taken. None of these steps were taken.
Recommendations
Accepted. Our recommendations included developing various policies and procedures for managing personal health information including responding to breaches, providing specific training for their staff, and fulfilling their breach reporting obligations with respect to the two breaches. These requisite breach reports provided further guidance to the Custodian.