An employee of a physician practice, who is not authorized to release a patient’s billing information (i.e. transcriptionist) shares a patient’s outstanding balance and other billing information with another individual. Has the employee inappropriately disclosed the patient’s PHI?
Yes. The employee’s actions constitute a breach if the employee released the patient’s financial information without the patient’s authorization and for purposes other than payment or healthcare operations. The privacy rule specifically addresses billing information.
Any information pertaining to a patient (demos) is considered PHI and thereby has the protection of the privacy rule.
Employees responsible for a breach of PHI – a federal crime since February 17, 2009 under the HITECH Act – should (may) be subject to sanctions.