Compliance Week

1. Failure to Verify Identity: The medical receptionist did not use a two-identifier verification process (e.g., full name and date of birth), leading to a mix-up between two patients with similar names.
2. Unauthorized Disclosure of PHI: Maria Lopez received and viewed PHI belonging to Mariah Lewis.
3. Risk to Patient Trust and Safety: The error could cause confusion, emotional distress, and erode trust in the organization’s ability to safeguard sensitive information.
4. Legal and Regulatory Exposure: This incident may require breach notification and could have an impact on the organization.

• Apologize Promptly: Offer sincere apologies to the patient, acknowledging the mistake and its seriousness.
• Secure the PHI: Retrieve the incorrect paperwork immediately and ensure it is properly secured.
• Report and Document: Notify the Office of Privacy. We are here to guide and support you – not to punish or intimidate. We focus on correcting the issue so we can do what’s best for our patients and continue to provide excellent care. Compliance is a team effort, and we are always happy to help!
  
  If you’re unsure who to contact or have a concern, your supervisor is a great first step. They can reach out to us, and we’ll work together to address any concerns. We’re here to help, not to punish—and always with the goal of doing what’s best for our patients.

Even well-intentioned actions can lead to privacy breaches if we’re not careful. Verifying a patient’s identity isn’t just a formality — it’s a critical safeguard to prevent patient information from being exposed and ensure safe, accurate care. When we skip this step, even by accident, we risk exposing sensitive information to the wrong person.

• Always use two identifiers before handing out documents, discussing health information, or accessing charts. Common identifiers include:
  • Full name
  • Date of birth
  • Photo ID (if applicable)
• Slow down and double-check – especially when patients have similar names. Rushing increases the risk of errors.
• Speak up if you notice a mismatch or if something doesn’t feel right. It’s better to pause and verify than to assume.
• Support each other – if you see a coworker skipping verification, kindly remind them – it’s a team effort.

Maria Lopez was handed Mariah Lewis’s paperwork because the receptionist didn’t verify her identity. This led to an unauthorized disclosure of PHI. A simple two-identifier check could have prevented the breach.

Reflection Prompts:

• What steps can we take to prevent similar incidents?
• How do we balance efficiency with accuracy in patient interactions?
• What should you do if you witness a similar mistake?

1. Failure to Verify Email Recipients: The Principal Investigator (PI) sent sensitive patient data without confirming that all email addresses were correct and authorized.
2. Unauthorized Disclosure of PHI: The spreadsheet containing identifiable health information was sent to a university staff member who is not part of the research team and is not permitted to view this information.
3. Legal and Regulatory Exposure: This incident may require breach notification and could have an impact on the organization.

• Report and Document: Notify the Office of Privacy. We are here to guide and support you – not to punish or intimidate. We focus on correcting the issue so we can do what’s best for our patients and continue to provide excellent care. Compliance is a team effort, and we are always happy to help!
  
  If you’re unsure who to contact or have a concern, your supervisor is a great first step. They can reach out to us, and we’ll work together to address any concerns. We’re here to help, not to punish—and always with the goal of doing what’s best for our patients.
  
• Contain the Error: Contact the unintended recipient, request deletion of the email, and confirm that no data was accessed, saved, or forwarded. 
  

Disclosing PHI – even unintentionally – to someone who isn’t authorized risks exposing patient information. Ensure that only authorized individuals receive PHI –and only when it’s necessary for their role.

Whether you're emailing, discussing, or sharing documents, always verify who you're communicating with before disclosing any patient information. A single mistyped email address can expose patient information – that’s why verifying recipients before sharing PHI is essential, every time.

Before sending an email, double-check every recipient. Don’t rely on autofill— it can often suggest addresses based on recent contacts. If you’re moving fast, you might select the wrong “Dr. Smith” or “John B."

• Limit what you share – if full identifiers aren’t needed, use de-identified information or only include details that are relevant.
• Group email confusion can lead to accidentally including someone who was removed from the project or never had access to PHI. Verify that all individuals in an email chain should be included.
• “Reply-all” risks can lead to forwarding PHI in a long thread without checking who’s copied. Before forwarding information, review the information in the thread and determine whether the individual(s) is permitted to view the PHI or remove the PHI before sharing.
• Similar domains mix-ups can lead to information being shared to the wrong individual (e.g. ucdenver.edu instead of cuanschutz.edu). Double check that you have the correct recipient with the correct domain address.

Real-life reminder from this scenario: A mistyped email address led to PHI being sent to someone outside the research team. This could have been avoided with a simple verification step. Always confirm who you're sharing with before you hit “send.”

Reflection Prompts:

• What steps can you take to verify email recipients before sending sensitive data?
• How can we make recipient verification a routine part of our workflow?
• What tools or habits help you verify recipients more reliably?