The HIPAA Rules must be followed by HIPAA covered entities, business associates and healthcare employees. What happens if the HIPAA Rules are accidentally violated? What should be the proper response of healthcare employees, covered entities and business associates?
Whether a healthcare employee accidentally viewed a patient’s records or accidentally sent a fax or email with PHI to the wrong recipient, such accidental exposure of PHI must be reported to the Privacy Officer. It is the Privacy Officer’s duty to determine what actions to take to reduce the risk and potential harm. The following actions may be the required:
- Investigation of the incident
- Conduct of risk analysis
- Report the breach to the Department of Health and Human Services’ Office for Civil Rights (OCR)
When reporting a breach, the Privacy Officer must include an explanation of the mistake that happened and the patients’ records that were viewed or disclosed. If a breach incident is not reported promptly, a simple error could become a major incident that would necessitate disciplinary action and possibly penalties on the employer.
Covered entities must treat any accidental HIPAA violation seriously. A risk assessment must be conducted to determine the probability of PHI exposure, the level of risk to individuals whose PHI was exposed and the risk of further PHI disclosures. In conducting a risk assessment, the following information must be determined:
- The nature of the breach
- The individual who viewed or accessed the PHI
- The types of information compromised
- The patients potentially affected by the breach
- To whom the information has been disclosed
- The probability of re-disclosure of information
- If PHI was indeed accessed or viewed
- The extent to which risk has been mitigated
After the risk assessment, steps must be taken to manage the risk and reduce it to a reasonable level. The HIPAA Breach Notification Rule requires the issuance of notifications. But not all breaches must be reported. The following cases of accidental HIPAA violation are exempted from the breach notification rule:
1. When the unintentional acquisition, access or use of PHI is done in good faith by a healthcare employee acting under the authority of the covered entity or business associate. For example, a staff sent a fax or email by mistake. The recipient viewed or accessed the information. When the mistake is realized, the fax or email is securely destroyed or deleted to stop further disclosure.
2. When an authorized person inadvertently discloses the PHI to another authorized person who accessed the PHI at the covered entity or business associate. For example, the medical information of patient is sent to another person authorized to access it. But the medical information sent by mistake is that of another patient and the recipient viewed it.
3. When the covered entity or business associate in good faith believes that the authorized person to whom the PHI was impermissibly disclosed did not retain the information. For example, a physician gives a medical chart or X-ray films to an unauthorized person to view the information. When he realizes the mistake, he retrieves the information before the PHI was viewed and the information retained.
Breach notification is not required in the three cases mentioned above. But any member of the staff still needs to report the breach to the Privacy Officer. In other cases of a breach of unsecured PHI, the covered entity must report the incident to OCR within 60 days of the breach discovery. Individuals affected by the breach must also be notified. Read on to know more examples of unintentional HIPAA violations.
USB flash drives that are lost or stolen can be considered as unintentional HIPAA violations because the USB flash drives were not intentionally lost or stolen. Nevertheless, the loss or theft are foreseeable and the potential breaches of ePHI could been avoided by encryption. Following are examples of unintentional HIPAA violations that are less foreseeable.
Olivia O’ Leary, a medical technician, was dismissed from her work at the Onslow Memorial Hospital in Jacksonville, NC because she commented on a Facebook post. She simply warned the victim to wear a seatbelt but it was considered as a HIPAA violation.
The Raleigh Orthopedic Clinic in North Carolina paid a fine of $750,000 for contracting an outside vendor to convert X-ray films to digital format without a Business Associate Agreement. The clinic was required to implement a Corrective Action Plan as well.
A staff who underwent a HIPAA training unintentionally discussed HIV testing procedures and a patient’s PHI with other patients in the waiting room. After the investigation of the incident, computer monitors were put in place to prevent further accidental disclosure of PHI.
The appropriate response of business associates to an accidental HIPAA violation is detailed in the business associate agreement. In general, when an accidental HIPAA violation occurs, the business associate must report all the details of the incident to the covered entity within 60 days of discovering the breach. It is best that the covered entity knows about the breach as soon as possible avoiding unnecessary delays. Knowing the details will help know quickly the best course of actions.