Most covered entities and business associates do their utmost to ensure complete compliance with HIPAA regulations and policy. However, employees are human, and accidents do happen. Such accidents can result in stressful consequences for those involved. Here, we provide some guidelines on how best to deal with HIPAA violations.
The majority of HIPAA violations come in the form of accidental release of Protected Health Information (PHI). HIPAA stipulates that PHI must only be disclosed to those involved in patient care; any other disclosures must have explicit permission from the patient. Additionally, when information is being transferred the minimum amount of information possible must be handed over.
If any of these conditions are breached, the Privacy Officer for the covered entity (CE) or business associate (BA) must be informed. They will then establish an action plan to deal with the breach. A report will then be submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR).
The investigation into the breach will often involve a risk assessment. Here, the nature of the breach will be established, alongside the level of risk posed to those involved.
Ideally, the outcomes of the risk assessment should be as follows:
These should help the Privacy Officer reduce risks to an acceptable level.
However, though the HIPAA Breach Notification Rule stipulates that PHI breaches must be reported, there are some exceptions. They are as follows:
Many medical professionals now use portable electronic devices as part of their daily workflow. This may save their employers money if it is part of a Bring Your Own Device (BYOD) policies, but it also leads to more instances where PHI can be lost or stolen. USB drives are often misplaced, but this is a foreseeable occurrence. The following are examples of unintentional HIPAA violations.
Early in 2017, Olivia O’Leary, a medical technician at the Onslow Memorial Hospital in Jacksonville, NC, lost her job after accidentally breaching HIPAA legislation whilst using Facebook. The twenty-four year-old commented on a Facebook post that a victim of an auto-accident should have worn a seatbelt. However, rather than being seen as a warning, her employers regarded this a breach of privacy.
A year earlier, the Raleigh Orthopedic Clinic, NC, was levied with a $750,000 fine for HIPAA violations. The clinic contracted a third party to covert X-rays to digit forms, then allowing the contractor to use the silver from the film. However, there was no Business Associate Agreement between the two parties. Thus, in addition to the fine, the clinic also had to devise a Corrective Action Plan.
HIPAA breaches may not always involve the unauthorised release of information. Indeed, they may involve a patient’s inability to access information. Recently, a patient filed a complaint with the OCR stating that their hospital denied them access to their medical records. After an investigation, the OCR ordered the hospital to provide the patient with access to their records. However, when they did, they also issued a $100 “records review fee”. This was unlawful; the HIPAA Privacy Rule states that a reasonable cost-based fee may be issued to cover postage etc.. The hospital then refunded the fee.