Gentry Locke Partner Christen Church Quoted in Article on Medical Data Breach
Gentry Locke partner Christen Church, who handles health care regulation and compliance, and data privacy and security, was recently quoted in a Dan Casey article in The Roanoke Times regarding on an ongoing, inadvertent medical data breach.
A local CPA has been receiving faxes with private medical information for four years.
Christen is quoted as follows:
Christen Church, an attorney at Gentry Locke whose practice areas include intellectual property, health care regulation compliance and data privacy and security, said what I described seemed to clearly fall under the category of “inadvertent” breaches, rather than “malicious” ones. But either way, under the law it sounds like a breach, she said.
In the early days of HIPAA, its security rules included exemptions for information transmitted between two actual fax machines. The law considered such data “telephonic,” rather than “electronic.” And in that case, errant faxes were not necessarily a breach, particularly if there was little risk of harm to the patient, Church said.
But if the fax originated from a computer — which is more likely these days — the exemption doesn’t apply. HIPAA breach notification rules, finalized in 2013, also removed much of the discretion health care entities have in determining the risk of harm to the patient, Church said.
Now, any unauthorized disclosure of protected health information, in paper or electronic form, is presumed to be a breach unless it meets limited exceptions, she added.
Health care entities covered by HIPAA are obligated to notify affected patients when breaches are discovered, Church said.