What Steps Should you Take in Relation to an Accidental HIPAA Violation?

Most HIPAA covered bodies, business associates, and healthcare workers take lots of precautions care to ensure HIPAA Rules are adhered to, but what happens when there is accidental HIPAA violation? How should healthcare workers, covered bodies, and business associates react?

How Should Employees React to an Accidental HIPAA Violation?

Accidents occur. If a healthcare worker accidentally views the records of a patient, if a fax is issued to an incorrect recipient, an email containing PHI is shared with the wrong person, or any other accidental disclosure of PHI has taken place, it is important to remember that the incident must be reported to your Privacy Officer.

Your Privacy Officer should determine what measure need to be followed to minimize danger and reduce the potential for harm. The incident will need to be reviewed, a risk assessment may need to be carried and a report of the breach may need to be filed to the Department of Health and Human Services’ Office for Civil Rights (OCR).

You should emphasize that a mistake was made and what has taken place. You will need to outline which patient’s records were accessed or disclosed. The failure to report such a violation swiftly can turn a simple error into a major incident, one that could lead to a disciplinary action and possibly, penalties for your employer.

How Should Covered Bodies React to an Accidental HIPAA Breach?

Any accidental HIPAA violation must be dealt with as serious and lead to a risk assessment to determine the probability of PHI having been compromised, the level of risk to people whose PHI has possibly been impacted, and the danger of further disclosures of PHI.

The risk assessment should seek to assess:

  • The manner of the breach
  • The person who accessed or downloaded PHI
  • The variety of information involved
  • The patients potentially affected
  • To whom information has been shared
  • The possibility of re-disclosure of information
  • Whether PHI was definitely acquired or seen
  • The extent to which risk has been addressed

After the risk assessment, risk must be dealt with and reduced to an appropriate and acceptable level. The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) also carries an obligation for notifications to be issued. Not all breaches of PHI carry this requirement. There are three exceptions when there has been an accidental HIPAA breach.

1) An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. 

Example: A fax or email is sent to a member of staff in error. The information is accessed and viewed, but the mistake is realized and the fax is securely destroyed or the email is deleted and no further disclosure is made.

2) An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.

Example: Supplying the medical information of a patient to another person authorized to receive it, but an error is made and the information of a different patient is shared.

3) If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Example: A physician shares X-rays films or a medical chart to a person not authorized to view the data, but realizes that an error has been made and retrieves the data before it is likely that any PHI has been read and information retained.

In each instance, while breach notifications are not required, any member of the work force that finds themselves in one of the above situations should still make the incident known to their Privacy Officer.

In all other instances when there has been a breach of unsecured PHI, the incident must be reported to OCR within 60 days of the discovery of the breach and individuals affected by the breach should be notified.

How Should Business Associates React to an Accidental HIPAA Violation?

The proper response to an accidental HIPAA violation should be listed in your business associate agreement.

HIPAA Rules state that all accidental HIPAA violations and data breaches to be made known to the covered body within 60 days of discovery, although the covered body should be alerted as soon as possible and notification should not be unnecessarily slowed down.

Business associates should supply their covered entity with as many details of the accidental HIPAA violation or breach as possible to make it easier for the covered entity to make a make a decision on the best course of action to employ.