DOVER — Wentworth-Douglass Hospital may have had to disclose the patient privacy breach had it occurred more recently, but since it did not the hospital wasn't required to do so.
The HIPAA Privacy Rule, however, would have "permitted" the hospital to notify patients or proper authorities of a violation, according to a statement from the U.S. Department of Health and Human Services. The agency's Office for Civil Rights enforces the rule protecting health information.
The breach took place between May 2006 and June 2007, involving a former hospital employee who improperly accessed patients' electronic records more than 1,800 times. http://www.fosters.com/apps/pbcs.dll/article?AID=/20091202/GJNEWS_01/712029961
Miaoulis Note: The Health Information Technology for Economic and Clinical Health (HITECH) Act breach notification requirements went into effect on Sept. 23. Even though the hospital was not legally required to notify the individuals affected; to minimize risk to the patients whose records had been breached organizations may want to notify the individuals.