Examples of Unintentional HIPAA Violations

Most covered entities and business associates do their utmost to ensure complete compliance with HIPAA regulations and policies; however, employees are human, and mistakes can therefore easily be made. Such mistakes can causes a slew of problems and dealing with HIPAA violations can be complex and stressful. Here, we provide some guidelines on how best to deal with HIPAA violations in the workplace.

Many unintentional HIPAA violations are due to the accidental release of protected health information (PHI). HIPAA stipulates that PHI must only be disclosed to those involved in patient care, payment for healthcare, or as necessary for day to day business functions or healthcare operations. Virtually all other disclosures of PHI are only permitted when explicit permission from the patient has been obtained in advance. Additionally, when information is being transferred, it must be limited to the minimum necessary amount of information to satisfy the purpose of the disclosure.

If any of these conditions are breached, the HIPAA privacy officer of the covered entity (CE) must be informed. The privacy officer should establish an action plan to deal with the breach. If the violation is determined to be a reportable HIPAA breach, the privacy officer will need to submit a report to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the appropriate time frame. that is within 60 days if the breach affects 500 or more individuals or within 60 days of the end of the year in which the violation occurred, if it affected less than 500 individuals.

The investigation into the breach will require a risk assessment to be performed. The nature of the breach will need to be established, its extent, who has been affected, and the potential for harm.

The aims of the risk assessment and investigation should be:

  • To understand the HIPAA violation, who had access to PHI or who disclosed it
  • To determine the nature of any information that was passed on or exposed
  • To determine whose privacy was violated
  • To assess the possibility of any further unauthorized disclosures of PHI
  • To determine whether any PHI was actually subjected to unauthorized access or if PHI has been stolen
  • To establish an action plan to reduce any risk of harm

Not all privacy breaches have to be reported to OCR. The HIPAA Breach Notification Rule stipulates that all PHI breaches must be reported, except in the following situations:

  1. An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
  2. An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.
  3. If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Examples of Accidental HIPAA Violations

Many medical professionals now use portable electronic devices as part of their daily workflows. This may save their employers money, which is one of the reasons why so many healthcare organizations have introduced Bring Your Own Device (BYOD) policies. However, the use of personal devices can lead increase the risk of HIPAA violations. Personal devices are easily lost or stolen and if they contain PHI that is not adequately protected, it can result in an impermissible disclosure of PHI. The use of USB drives and backups can also result in accidental disclosures of PHI in the event of loss or theft. It is therefore essentials to have policies and procedures in place covering the use of all personal devices, and to implement security controls – such as encryption – to ensure that in the event of loss or theft, no PHI is exposed. The Hospice of Northern Idaho was fined $50,000 in 2012 for a lack of security controls which contributed to the exposure of ePHI when an unencrypted laptop was stolen.

The ease at which information can be shared on social media makes it easy for unauthorized disclosure to occur. Healthcare employees must therefore be told how HIPAA applies to social media posts. Even when the intentions are honorable, HIPAA violations can occur and healthcare employees can face disciplinary action and even termination over social media privacy violations.

Early in 2017, Olivia O’Leary, a medical technician at the Onslow Memorial Hospital in Jacksonville, NC, lost her job after accidentally breaching HIPAA legislation whilst using Facebook. The twenty-four year-old commented on a Facebook post that a victim of an auto-accident should have worn a seat belt. However, rather than being seen as a warning to others about the importance of wearing a seat belt while driving, her employers regarded this a breach of patient privacy and a HIPAA violation.

A year earlier, Raleigh Orthopedic Clinic in North Carolina was issued with a $750,000 fine to resolve a HIPAA violation. The clinic had contracted a third party to covert X-rays films to digital form, and allowed the contractor to recycle the silver from the films. However, there was no Business Associate Agreement in place between the two parties. Consequently, the provision of the x-ray films constituted an impermissible disclosure of PHI.

HIPAA breaches may not always involve the unauthorized release of information. Recently, a patient filed a complaint with the OCR stating that their hospital denied them access to their medical records. After an investigation, OCR ordered the hospital to provide the patient with access to their records. However, the hospital did as instructed, it also charged the patient a $100 “records review fee”. This was unlawful as the HIPAA Privacy Rule states that only a reasonable cost-based fee may be issued to cover postage etc and reasonable costs. The hospital subsequently refunded the fee and avoided a financial penalty. Cignet Health of Prince George’s County was not so fortunate. In 2011, it was issued with a $4,300,000 penalty for denying patients access to their medical records.