When is a PHI breach reported to HHS not a breach of PHI?
Back in March, this site reported on an incident disclosed by the Eye Institute of Corpus Christi. The incident involved individuals copying the patient database and providing it to doctors formerly associated with the entity. The doctors then allegedly used the information to recruit patients to their practice.
It was not clear from the notification whether the individuals who copied the patient database were employees or now. But given that patient records were given to doctors no longer employed by the entity without the entity’s authorization, it certainly sounded like a reportable breach to me. I even questioned, at the time, why they hadn’t mentioned reporting the incident to HHS.
Today, I noticed the entry in the public breach tool, Apparently they had reported the incident to HHS prior to my March post, but HHS had not uploaded it immediately. EICC reported that the incident, which they coded as theft of EMR, affected 43,961 patients.
Of particular note, I was surprised to read OCR’s short closing note on the investigation:
After review of the response from the entity, OCR determined that a breach of protected health information did not occur.
Okay, how was this not a breach of PHI? Discuss. I don’t have any answer, because that’s all OCR wrote, but I do find their determination surprising.