Examples of Unintentional HIPAA Violations

Examples of unintentional HIPAA violations only come to light when they result in notifiable data breaches attributable to events such as stolen laptops and misguided social media posts, or oversights such as the failure to provide basic HIPAA training or enter into a Business Associate Agreement with a third party service provider. Most unintentional HIPAA violations have lesser impacts on the privacy and security of PHI and dealt with “in-house”.  

Most covered entities and business associates do their utmost to ensure complete compliance with HIPAA regulations and policies; however, employees are human, and mistakes can easily be made. Such mistakes can causes a slew of problems and dealing with unintentional HIPAA violations can be complex and stressful. Here, we provide some guidelines on how best to deal with unintentional HIPAA violations in the workplace.

Many unintentional HIPAA violations are due to the accidental release of protected health information (PHI). HIPAA stipulates that PHI must only be disclosed to those involved in patient care, payment for healthcare, or as necessary for day to day business functions or healthcare operations. Virtually all other disclosures of PHI are only permitted when explicit permission from the patient has been obtained in advance. In cases in which the disclosure of PHI is allowed, they must be limited to the minimum necessary amount of information to satisfy the purpose of the disclosure.

If any of these conditions are breached, the HIPAA privacy officer of the covered entity (CE) must be informed. The privacy officer should establish an action plan to deal with the breach. If the violation is determined to be a reportable HIPAA breach, the privacy officer will need to submit a report to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the appropriate time frame. that is within 60 days if the breach affects 500 or more individuals or within 60 days of the end of the year in which the violation occurred, if it affected less than 500 individuals.

The investigation into the breach will require a risk assessment to be performed. The nature of the breach will need to be established, its extent, who has been affected, and the potential for harm.

The aims of the risk assessment and investigation should be:

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

  • To understand the HIPAA violation, who had access to PHI or who disclosed it
  • To determine the nature of any information that was passed on or exposed
  • To determine whose privacy was violated
  • To assess the possibility of any further unauthorized disclosures of PHI
  • To determine whether any PHI was actually subjected to unauthorized access or if PHI has been stolen
  • To establish an action plan to reduce any risk of harm

Not all privacy breaches have to be reported to OCR. The HIPAA Breach Notification Rule stipulates that all PHI breaches must be reported, except in the following situations:

  1. An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
  2. An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.
  3. If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Examples of Accidental HIPAA Violations

Many medical professionals now use portable electronic devices as part of their daily workflows. This may save their employers money, which is one of the reasons why so many healthcare organizations have introduced Bring Your Own Device (BYOD) policies. However, the use of personal devices can lead increase the risk of HIPAA violations. Personal devices are easily lost or stolen and if they contain PHI that is not adequately protected, it can result in an impermissible disclosure of PHI. The use of USB drives and backups can also result in accidental disclosures of PHI in the event of loss or theft. It is essential to have policies and procedures in place covering the use of all personal devices, and to implement security controls – such as encryption – to ensure that in the event of loss or theft, no PHI is exposed. The Hospice of Northern Idaho was fined $50,000 in 2012 for a lack of security controls which contributed to the exposure of ePHI when an unencrypted laptop was stolen.

The ease at which information can be shared on social media makes it easy for unauthorized disclosure to occur. Healthcare employees must be told how HIPAA applies to social media posts. Even when the intentions are honorable, HIPAA violations can occur and healthcare employees can face disciplinary action and even termination over social media privacy violations.

Early in 2017, Olivia O’Leary, a medical technician at the Onslow Memorial Hospital in Jacksonville, NC, lost her job after accidentally breaching HIPAA legislation whilst using Facebook. The twenty-four year-old commented on a Facebook post that a victim of an auto-accident should have worn a seat belt. However, rather than being seen as a warning to others about the importance of wearing a seat belt while driving, her employers regarded this a breach of patient privacy and a HIPAA violation.

A year earlier, Raleigh Orthopedic Clinic in North Carolina was issued with a $750,000 fine to resolve a HIPAA violation. The clinic had contracted a third party to covert X-rays films to digital form, and allowed the contractor to recycle the silver from the films. However, there was no Business Associate Agreement in place between the two parties. Because the clinic had omitted to enter into a Business Associate Agreement, the handing over of the x-ray films constituted an impermissible disclosure of PHI.

HIPAA breaches may not always involve the unauthorized release of information. Recently, a patient filed a complaint with the OCR stating that their hospital denied them access to their medical records. After an investigation, OCR ordered the hospital to provide the patient with access to their records. However, the hospital did as instructed, it also charged the patient a $100 “records review fee”. This was unlawful as the HIPAA Privacy Rule states that only a reasonable cost-based fee may be issued to cover postage etc and reasonable costs. The hospital subsequently refunded the fee and avoided a financial penalty. Cignet Health of Prince George’s County was not so fortunate. In 2011, it was issued with a $4,300,000 penalty for denying patients access to their medical records.

Unintentional HIPAA Violations: FAQ

Can employees be fired for unintentional HIPAA violations?

Employees can be fired for unintentional HIPAA violations if, for example, they have a long history of unintentional violations that additional training has failed to address. In most cases, employees who accidentally violate HIPAA will not be fired because many employers understand that anybody can be susceptible to human error.

How common are unintentional HIPAA violations?

It is not known how common unintentional HIPAA violations are because, although the Department of Health and Human Services publishes statistics about the number of complaints and breach notifications the Office for Civil Rights receives each year, the statistics do not distinguish between intentional and unintentional HIPAA violations.

How can covered entities and business associates prevent unintentional HIPAA violations?

Covered entities and business associates can prevent unintentional training by providing regular and up-to-date training and reinforcing the training with a fair sanctions policy. In addition, employers can implement policies such as clear desk and phone lock policies to prevent PHI being accessed without authorization when a workstation or mobile device is left unattended.

What are the consequences of unintentional HIPAA violations?

The consequences of unintentional HIPAA violations depend on the nature of the violation and its potential effect on the privacy and security of PHI. For example, the consequences of failing to obtain a patient’s acknowledgement they have received a Notice of Privacy Practices are negligible because the acknowledgement can be obtained on the patient’s next visit.

However, an unintentional HIPAA violation that results in the exposure of tens of thousands of unsecured health records could have significant repercussions for the individual responsible for the violation, the organization for whom they work, and the tens of thousands of individuals whose health records may be used for fraud and theft.

What is the difference between an accidental breach and an incidental breach?

The difference between an accidental breach and an incidental breach is that an incidental HIPAA violation occurs if reasonable protections are in place to safeguard patient data, but a breach occurs anyway. This can happen, for example, if two employees are discussing patient care in a private room, and another employee enters the room and overhears part of the conversation. The employees may then take action to ensure the PHI is not further disclosed. This is distinct from an accidental breach of PHI, which often occurs unknowingly.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/