What to do Following an Accidental HIPAA Violation

The vast majority of entities covered by the Health Insurance Portability and Accountability Act (HIPAA) provide regular training to employees on their responsibilities under HIPAA, and employees are diligent and take care not to violate the HIPAA Rules or put patient privacy at risk. Despite this, accidental HIPAA violations do occur which may result in the exposure or impermissible disclosure of the protected health information (PHI) of certain individuals.

Accidental HIPAA violations can have serious consequences for the individuals whose privacy has been violated and also for the covered entity. Once an individual’s PHI has been impermissibly shared, that disclosure cannot be undone; however, steps can be taken to reduce any negative consequences to the minimal possible level. If an accidental HIPAA violation is discovered, it may be possible to mitigate the incident quickly and prevent any harm from being caused. If prompt action is taken to correct a HIPAA violation and steps are taken to reduce the risk of further, similar violations, this will be looked upon favorably by regulators and the covered entity may be able to avoid financial penalties and other sanctions.

How Should Covered Entities React to an Accidental HIPAA Violation?

Any accidental HIPAA violation must be taken seriously. When there has been an accidental HIPAA violation, a risk assessment must be conducted to determine the probability that PHI was compromised, the level of risk individuals have been exposed to, and whether the incident has been contained or if there is any risk of further disclosures of PHI.

The risk assessment should ascertain:

  • The nature and extent of the breach, the types of identifiers exposed, and any likelihood of re-identification
  • The person who viewed or used PHI, the individuals impacted, and any individuals to whom the PHI was disclosed.
  • Whether PHI was actually viewed or acquired
  • The extent to which the risk to PHI has been mitigated

The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) may require notifications to be sent to the individuals affected by the breach and to regulators, including the HHS’ Office for Civil Rights. Not all accidental

HIPAA violations are reportable incidents. It is the responsibility of the covered entity to determine if the incident is covered by the Breach Notification Rule, so the incident must be evaluated and the correct determination made. To make that determination, each of the above factors should be scored based on the level of risk and given a high, medium, or low rating. All four elements must then be considered as a whole to determine the overall level of risk. If it is established that the incident is low risk, notifications are not required. It is important to document any risk assessment and the decisions made. Documentation about the breach, risk assessment, and determination must be retained for 6 years.

There are three exceptions in the definition of an accidental HIPAA breach where individual and OCR breach notifications are not required:

1) An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. 

For example: A fax or email containing ePHI is shared with a member of staff in error. The ePHI was accessed and viewed, but the error was realized and the fax/email was securely destroyed or the email was deleted and no further disclosure of ePHI occurred.

2) An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.

For example: Sharing the medical information of a patient with another individual who has permission to receive it, but a mistake is made and the information of a different patient is shared, provided the information is not used or further disclosed.

3) If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

For example: A physician gives X-rays films or a medical chart to a person who does not have official permission to view the information, but realizes that an error has been made and retrieves the information before it is likely that any PHI has been read and information retained.

In each instance, while breach notifications are not needed, any member of staff that finds themselves in one of the above situations should make the incident known to their HIPAA Officer. It is the HIPAA Officer, not individual employees, that is required to assess the incident and determine the correct course of action.

In all other instances when there has been a breach of unsecured PHI, the incident must be made known to OCR within 60 days of the discovery of the breach and individuals impacted by the breach should be sent notifications without unreasonable delay, and also within 60 days of discovery of the breach. HIPAA breach reporting requirements have been summarized here.

The steps that must be taken following an accidental HIPAA violation differ for individuals and covered entities:

  1. Steps that staff members need to take following an accidental breach of the HIPAA Rules: It is vital that the unintentional breach, once it has been discovered, is made known to the HIPAA Officer as soon as possible. This person will decide what actions need to be taken to minimize risk and reduce the potential for harm. The incident will need to be reviewed, a risk assessment needs to be performed, and a report of the breach may need to be submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) and potentially state Attorneys General. It is important to report any HIPAA violation promptly as it can ensure that a small mistake is prevented from becoming a major incident. The importance of reporting breaches, and what constitutes a HIPAA breach, should be covered in the employee HIPAA training program.
  2. Company-wide measures to take after an accidental breach of HIPAA: All HIPAA covered entities must keep a detailed record of all HIPAA breaches, including all of the above four factors of the HIPAA risk assessment and any actions taken in response to the breach. Breaches involving the PHI of fewer than 500 individuals must be reported to OCR within 60 days of the end of the calendar year in which the breach was discovered. Larger breaches must be reported within 60 days of the discovery of the breach. In all cases that warrant notifications, individuals affected must be notified within 60 days of the discovery of the breach.

What Should Business Associates do Following an Accidental HIPAA Violation?

The appropriate response to an accidental HIPAA violation should be listed in your business associate agreement. These requirements may differ from those stipulated by the HIPAA Breach Notification Rule.

Under HIPAA, all accidental HIPAA violations and data breaches must be communicated to the covered entity or covered entities without undue delay and no later than 60 days following the discovery of a breach. Business associates should give their covered entity as many details about the accidental HIPAA violation or breach as possible, along with the steps taken to mitigate the breach, so the covered entity can decide on the best course of action to take.