What happens after an accidental HIPAA violation?

In is in the interest of HIPAA covered entities, business associates, and healthcare employees to take great care to ensure HIPAA Rules are not violated, lest they wish to incur huge fines and possible criminal prosecution. But in the event of an accidental HIPAA violation, what is the best manner for covered entities and their business associates to respond?

Reporting Accidental HIPAA Violations

There are many ways in which HIPAA legislation may accidentally be breached. If a healthcare employee mistakenly views the records of a patient, or an is sent to an incorrect recipient, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to the organisation’s Privacy Officer.

The Privacy Officer will be trained to recognise the necessary actions that need to be taken to mitigate the potential for harm to the patient. An investigation must be launched into the incident, and a risk assessment may need to be performed. Furthermore, a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR).

This report should explain that a mistake was made and outline the events leading to the error. The OCR will require information about which patient’s records were viewed or disclosed. The failure to report such a breach promptly can turn a simple error into a major incident. Depending on the scale, this could result in disciplinary action and potentially, penalties imposed on the company.

Responding to an Accidental HIPAA Violation

Any accidental HIPAA violation must be treated seriously and warrants a risk assessment to determine the probability of PHI having been compromised, the level of risk to individuals whose PHI has potentially been compromised, and the risk of further disclosures of PHI.

The first task is to complete a risk assessment as soon as the breach has been made known.

The risk assessment should determine:

  • The nature of the breach
  • The person who viewed or acquired PHI
  • The types of information involved
  • The patients potentially impacted
  • To whom information has been disclosed
  • The potential for re-disclosure of information
  • Whether PHI was acquired or viewed
  • The extent to which risk has been mitigated

Following the risk assessment, risk must be managed and reduced to an appropriate and acceptable level. The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) also requires notifications to be issued to all those whose data was breached. Not all breaches of PHI are reportable. There are three exceptions when there has been an accidental HIPAA violation.

1) An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. 

Example: A fax or email is sent to a member of staff in error. The information is accessed and viewed, but the mistake is realized and the fax is securely destroyed or the email is deleted and no further disclosure is made.

2) An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.

Example: Providing the medical information of a patient to another individual authorized to receive it, but a mistake is made and the information of a different patient is disclosed.

3) If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Example: A physician gives X-rays films or a medical chart to a person not authorized to view the information, but realizes that a mistake has been made and retrieves the information before it is likely that any PHI has been read and information retained.

In each case, while breach notifications are not required, any member of staff that finds themselves in one of the above situations should still report the incident to their Privacy Officer, who will direct the handling of the incident accordingly.

In all other cases when there has been a breach of unsecured PHI, the incident must be reported to OCR within 60 days of the discovery of the breach and individuals impacted by the breach should be notified.

Business Associates and Accidental HIPAA Violations

The business associate agreement should have a complete guideline on the best way to handle accidental HIPAA violations.

HIPAA Rules require all accidental HIPAA violations and data breaches to be reported to the covered entity within 60 days of discovery. However, the covered entity should be notified as soon as possible and notification should not be unnecessarily delayed. An unnecessary delay in notifying the CE could constitute a violation under HIPAA legislation.

Business associates should provide their covered entity with as many details of the accidental HIPAA violation or breach as possible. This allows the covered entity to make an informed decision on how to best handle the breach, and avoid further violations of HIPAA.