What to do Following an Accidental HIPAA Violation

At the majority of entities governed by the Healthcare Insurance Privacy Accountability Act employees do everything possible to ensure that they are complying with HIPAA Rules. Despite this accidental disclosures of Personal Health Information (PHI) are still disclosed by mistake, in breach of the rules, a lot of the time.

This can create a lot of different issues for a HIPAA entities, not least being the debilitating financial penalties that may be sanctioned in the event of a breach taking place. Due to this is it important that every group subject to these rules is aware of what steps must be employed, as quickly as possible, following the identification of an accidental breach of PHI in order to both minimize the chance of anyone being impacted and also to limit the extent of any penalty that may be applied by the US Department of Health and Health Services’ (HHS) Office for Civil Rights (OCR) at some point in the future.

How Should Covered Bodies React to an Accidental HIPAA Violation?

Any accidental HIPAA violation must be dealt with seriously and warrants a risk assessment to ascertain the probability of PHI having been compromised, the level of risk to those whose PHI has potentially been compromised, and the risk of more disclosures of PHI.

The risk assessment should ascertain:

  • The manner of the breach
  • The person who saw or obtained PHI
  • The types of information impacted
  • The patients potentially affected
  • To whom information has been shared
  • The potential for re-disclosure of data
  • Whether PHI was really acquired or seen
  • How risk has been addressed

Following the risk assessment, risk must be handled and lessened to an appropriate and acceptable level. The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) also requires alerts to be issued. Not all breaches of PHI are reportable. There are three exceptions when there has been an accidental HIPAA breach.

1) An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. 

For example: A fax or email is shared to a member of staff in error. The data is accessed and viewed, but the error is realized and the fax is securely destroyed or the email is deleted and no further disclosure takes place.

2) An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.

For example: Sharing the medical information of a patient to another individual who has permission to receive it, but a mistake is made and the information of a different patient is shared.

3) If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

For example: A physician gives X-rays films or a medical chart to a person who does not have official permission to view the information, but realizes that an error has been made and retrieves the information before it is likely that any PHI has been read and information retained.

In each instance, while breach notifications are not needed, any member of staff that finds themselves in one of the above situations should still make the incident known to their Privacy Officer.

In all other instances when there has been a breach of unsecured PHI, the incident must be made known to the OCR within 60 days of the discovery of the breach and individuals impacted by the breach should be warned. HIPAA breach reporting requirements have been summarized here.

There are two separate levels, Company and individual, of steps that should be taken once an unintentional breach of HIPAA has been identified. We will look at both here.

  1. Steps that Staff need to take following an Accidental Breach of HIPAA It is vital that the unintentional breach, once it has been discovered, is made known to the relevant privacy officer as soon as possible. This person will decide what actions need to be taken to minimize risk and reduce the potential for damage. The incident will need to be reviewed, a risk assessment may need to be performed, and a report of the breach may need to be submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR). Details that need to be recorded include the specific details in relation to what PHI was accessible. Taking this step quickly can avoid a small mistake becoming a major breach incident. A simple way of making sure that it happens is to keep staff aware of what constitutes a HIPAA breach using an ongoing HIPAA training programme.
  2. Company-wide measures to take after an Accidental Breach of HIPAA: All HIPAA entities must keep a detailed record of how the mistake that lead to the HIPAA breach occurred. You should report that a mistake was made and what has taken place. You will need to explain which patient’s records were seen or shared. The failure to report such a breach swiftly can turn a simple error into a major incident, one that could lead to in disciplinary action and potentially, penalties for your employer.

Unintentional HIPAA Violations Examples

Lost or stolen USB flash drives could be thought of as examples of unintentional HIPAA violations as nobody intended for the USB flash drives to be lost or illegally taken. However, the loss or theft could have been reasonably foreseen and possible breaches of ePHI avoided by encryption. The following examples of unintentional HIPAA violations were less predictable.

In May 2017, Olivia O’Leary – a 24 year old medical technician – claims to have been sacked from her job at the Onslow Memorial Hospital in Jacksonville, NC, after commenting on a Facebook. Her warning that the victim of an auto accident should have donned a seat belt was not seen by her employer as a reminder to always use a seatbelt – O´Leary alleges – but rather as a HIPAA violation.

What Should Business Associates do Following an Accidental HIPAA Violation?

The appropriate response to an accidental HIPAA violation should be listed in your business associate agreement.

HIPAA Rules state that all accidental HIPAA violations and data breaches be made known to the covered entity within 60 days of discovery, although the covered entity should be notified as soon as possible and notification should not be unnecessarily slowed down.

Business associates should give their covered entity as many details of the accidental HIPAA violation or breach as possible so that the covered entity can decide the best course of action to take.