Examples of Unintentional HIPAA Violations

Most covered entities and business associates do their utmost to ensure complete compliance with HIPAA regulations and policy. However, employees are human, and accidents do happen. Such accidents can result in stressful consequences for those involved. Here, we provide some guidelines on how best to deal with HIPAA violations.

The majority of HIPAA violations come in the form of accidental release of Protected Health Information (PHI). HIPAA stipulates that PHI must only be disclosed to those involved in patient care; any other disclosures must have explicit permission from the patient. Additionally, when information is being transferred the minimum amount of information possible must be handed over.

If any of these conditions are breached, the Privacy Officer for the covered entity (CE) or business associate (BA) must be informed. They will then establish an action plan to deal with the breach. A report will then be submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR).

The investigation into the breach will often involve a risk assessment. Here, the nature of the breach will be established, alongside the level of risk posed to those involved.

Ideally, the outcomes of the risk assessment should be as follows:

  • Understand who had unauthorized access to the PHI
  • The nature of the information passed on
  • Whose privacy was breached
  • Assess the possibility that information will be passed on
  • Determine if the breached data was read
  • How the risks can be reduced

These should help the Privacy Officer reduce risks to an acceptable level.

However, though the HIPAA Breach Notification Rule stipulates that PHI breaches must be reported, there are some exceptions. They are as follows:

  1. An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
  2. An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.
  3. If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Examples of Accidental HIPAA Violation

Many medical professionals now use portable electronic devices as part of their daily workflow. This may save their employers money if it is part of a Bring Your Own Device (BYOD) policies, but it also leads to more instances where PHI can be lost or stolen. USB drives are often misplaced, but this is a foreseeable occurrence. The following are examples of unintentional HIPAA violations.

Early in 2017, Olivia O’Leary, a medical technician at the Onslow Memorial Hospital in Jacksonville, NC, lost her job after accidentally breaching HIPAA legislation whilst using Facebook. The twenty-four year-old commented on a Facebook post that a victim of an auto-accident should have worn a seatbelt. However, rather than being seen as a warning, her employers regarded this a breach of privacy.

A year earlier, the Raleigh Orthopedic Clinic, NC, was levied with a $750,000 fine for HIPAA violations. The clinic contracted a third party to covert X-rays to digit forms, then allowing the contractor to use the silver from the film. However, there was no Business Associate Agreement between the two parties. Thus, in addition to the fine, the clinic also had to devise a Corrective Action Plan.

HIPAA breaches may not always involve the unauthorised release of information. Indeed, they may involve a patient’s inability to access information. Recently, a patient filed a complaint with the OCR stating that their hospital denied them access to their medical records. After an investigation, the OCR ordered the hospital to provide the patient with access to their records. However, when they did, they also issued a $100 “records review fee”. This was unlawful; the HIPAA Privacy Rule states that a reasonable cost-based fee may be issued to cover postage etc.. The hospital then refunded the fee.