Most covered entities and business associates do their utmost to ensure complete compliance with HIPAA regulations and policies; however, employees are human, and mistakes can therefore easily be made. Such mistakes can causes a slew of problems and dealing with HIPAA violations can be complex and stressful. Here, we provide some guidelines on how best to deal with HIPAA violations in the workplace.
Many unintentional HIPAA violations are due to the accidental release of protected health information (PHI). HIPAA stipulates that PHI must only be disclosed to those involved in patient care, payment for healthcare, or as necessary for day to day business functions or healthcare operations. Virtually all other disclosures of PHI are only permitted when explicit permission from the patient has been obtained in advance. Additionally, when information is being transferred, it must be limited to the minimum necessary amount of information to satisfy the purpose of the disclosure.
If any of these conditions are breached, the HIPAA privacy officer of the covered entity (CE) must be informed. The privacy officer should establish an action plan to deal with the breach. If the violation is determined to be a reportable HIPAA breach, the privacy officer will need to submit a report to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the appropriate time frame. that is within 60 days if the breach affects 500 or more individuals or within 60 days of the end of the year in which the violation occurred, if it affected less than 500 individuals.
The investigation into the breach will require a risk assessment to be performed. The nature of the breach will need to be established, its extent, who has been affected, and the potential for harm.
The aims of the risk assessment and investigation should be:
Not all privacy breaches have to be reported to OCR. The HIPAA Breach Notification Rule stipulates that all PHI breaches must be reported, except in the following situations:
Many medical professionals now use portable electronic devices as part of their daily workflows. This may save their employers money, which is one of the reasons why so many healthcare organizations have introduced Bring Your Own Device (BYOD) policies. However, the use of personal devices can lead increase the risk of HIPAA violations. Personal devices are easily lost or stolen and if they contain PHI that is not adequately protected, it can result in an impermissible disclosure of PHI. The use of USB drives and backups can also result in accidental disclosures of PHI in the event of loss or theft. It is therefore essentials to have policies and procedures in place covering the use of all personal devices, and to implement security controls – such as encryption – to ensure that in the event of loss or theft, no PHI is exposed. The Hospice of Northern Idaho was fined $50,000 in 2012 for a lack of security controls which contributed to the exposure of ePHI when an unencrypted laptop was stolen.
The ease at which information can be shared on social media makes it easy for unauthorized disclosure to occur. Healthcare employees must therefore be told how HIPAA applies to social media posts. Even when the intentions are honorable, HIPAA violations can occur and healthcare employees can face disciplinary action and even termination over social media privacy violations.
Early in 2017, Olivia O’Leary, a medical technician at the Onslow Memorial Hospital in Jacksonville, NC, lost her job after accidentally breaching HIPAA legislation whilst using Facebook. The twenty-four year-old commented on a Facebook post that a victim of an auto-accident should have worn a seat belt. However, rather than being seen as a warning to others about the importance of wearing a seat belt while driving, her employers regarded this a breach of patient privacy and a HIPAA violation.
A year earlier, Raleigh Orthopedic Clinic in North Carolina was issued with a $750,000 fine to resolve a HIPAA violation. The clinic had contracted a third party to covert X-rays films to digital form, and allowed the contractor to recycle the silver from the films. However, there was no Business Associate Agreement in place between the two parties. Consequently, the provision of the x-ray films constituted an impermissible disclosure of PHI.
HIPAA breaches may not always involve the unauthorized release of information. Recently, a patient filed a complaint with the OCR stating that their hospital denied them access to their medical records. After an investigation, OCR ordered the hospital to provide the patient with access to their records. However, the hospital did as instructed, it also charged the patient a $100 “records review fee”. This was unlawful as the HIPAA Privacy Rule states that only a reasonable cost-based fee may be issued to cover postage etc and reasonable costs. The hospital subsequently refunded the fee and avoided a financial penalty. Cignet Health of Prince George’s County was not so fortunate. In 2011, it was issued with a $4,300,000 penalty for denying patients access to their medical records.