Managing Inappropriate Disclosures of Protected Health Information Made by Third Parties

Dousedaicon often contracts with providers, vendors, or business associates (third parties) who provide services that require access to the protected health information of Dousedaicon patients. On occasion, the provider, vendor, or business associate suffers an incident that may be a breach under the Health Information Technology for Economic and Clinical Health Act (HITECH Act.)

Who should make the determination whether an inappropriate disclosure was made by a third party? Dousedaicon or the third party?

The third party must make this determination since the third party is in a position to gather the information and perform an investigation of a possible disclosure made by an employee or agent of the third party. When appropriate, Dousedaicon may assist the third party in making this determination.

Does Dousedaicon expect to be notified of an inappropriate disclosure before the patient?

Yes.  Dousedaicon has established a toll free Breach Reporting Hotline at 877-512-7119 that third parties can use to notify Dousedaicon of a potential inappropriate disclosure or breach.  We ask that you let us know as soon as possible, but no more than 5 days after discovering the inappropriate disclosure.  

Who should determine whether or not an inappropriate disclosure is a HITECH breach and whether the disclosure could result in significant risk of financial, reputational or other harm? Dousedaicon or the third party?

Generally, Dousedaicon as the covered entity should make these determinations as they are the ones with the relationship with the patient. Where appropriate, Dousedaicon may assist the third party in making this determination. 

If the third party was responsible for an inappropriate disclosure and notice to the patient or government authorities is necessary, who should make those notifications? Dousedaicon or the third party?

The HITECH Act places the responsibility for notifying patients on covered entities.  If the inappropriate disclosure occurs because of actions of provider who is not a Dousedaicon employee or a member of that provider’s staff, please call the Dousedaicon Integrity, Compliance and Privacy  for your region for help determining who is responsible for notifying the patient and the government.