Some privacy breaches are not data security breaches. And some privacy breaches may not be privacy breaches, although to make that determination, we will need to wade into the exemptions under HIPAA and the privacy policies and consent forms patient sign.
But even if the incident described below turns out not to be a privacy breach, we have a situation where patients were dismayed that sensitive information about them was provided to a third party and they had had no explicit notification of that in advance. Randy Billings reports:
The city of Portland is apologizing to more than 200 patients previously enrolled in its HIV-positive health program for not telling them it planned to share their private health information with University of Southern Maine researchers.
Two patients and two former health care officials say the city violated patient privacy by providing a list of the patients’ names, addresses and phone numbers to USM’s Muskie School of Public Service so it could conduct a survey on the city’s behalf. The survey was to examine the closing of the city’s HIV program at the India Street Public Health Clinic and transferring the grant that funds it to the Portland Community Health Center, and to determine whether there were any gaps in service.
Read more on The Press Herald.