An employee of the hospital mistakenly called a patient's place of employment to remind her about an upcoming appointment. The patient herself did not receive the call, but instead a message was left with her co-worker. The information left with the co-worker was: (patient's) Name, Hospital Name, and the name of the Clinical Department. For example:
Hospital - Hello may I speak with Jane Doe?
Co-Worker - Jane is in a meeting right now, may I take a message?
Hospital - Yes, my name is James Brown calling from ABC Hospital, Ophthalmology. Will you ask her call me?
Co-Worker - OK. I will give her the message. Thank you
Is the information that was left verbally with the co-worker PHI? Does the fact that a name of a clinical department was given matter? For example, would you handle this any differently if the name of the department left with the co-worker was psychiatry instead of ophthalmology?
I agree with Frank...there is no specific information shared here...it would all be assumptions on the part of the call receiver.
Scot Lovejoy RPh. CFP CHC
Chief Pharmacy Officer
9 Campus Drive, 2nd Floor East
Parisippany, N.J. 07054
(O) 973-540-8400 x227
Confidentiality Notice: This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure. If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system. Thank you.
Ok, two more points and I'm moving on to other things.
Director of Compliance
Disclaimer: HIPAAtrek, LLC employees and associates are not lawyers and do not provide legal advice. In order to facilitate your effective use of the HIPAAtrek Software-as-a-Service, our employees and associates may provide their non-legal opinions and recommendations related to HIPAA and the administration of your HIPAA Privacy, Security, and Breach Notification program. Nevertheless, you are strongly encouraged to engage your own competent legal counsel for your specific legal and compliance matters.
I consider the information left with the co-worker PHI. As a result, I consider this to be an impermissible disclosure which in turn requires an breach risk assessment.