The proper response to an accidental HIPAA violation depends on the nature of the violation, whether or not unsecured PHI was exposed in a manner that would qualify as a notifiable data breach, and – if so – whether or not it is possible to mitigate the consequences of the data breach by immediate action.
Whether a healthcare employee accidentally viewed a patient’s records or sent a fax or email containing PHI to the wrong recipient, these accidental exposures of PHI must be reported to the HIPAA Officer. It is the HIPAA Officer’s duty to determine what actions must be taken to reduce the risk of harm to individuals whose privacy has been violated.
The following actions need to be taken in the event of an accidental HIPAA violation:
- Investigate the incident
- Conduct a HIPAA risk assessment
- Provide further HIPAA training, as appropriate, to the individual(s) responsible for the violation
Depending on the outcome of the risk assessment, the following may be required:
- Notify the individual(s) whose privacy was violated
- Report the breach to the Department of Health and Human Services’ Office for Civil Rights (OCR)
When reporting a breach, the HIPAA Officer must include an explanation of the mistake that occurred, the steps taken in response to the breach, and the number of patient records that were viewed or disclosed. Breaches of 500 or more records must be reported to OCR within 60 days of the discovery of the breach, with smaller breaches reported no later than 60 days from the end of the calendar year in which the breach was discovered. Affected patients must be notified without unnecessary delay, and no later than 60 days from the discovery of the privacy violation.
Covered entities must treat any accidental HIPAA violation seriously. A risk assessment must be conducted to determine the probability of PHI exposure, the level of risk to individuals whose PHI was exposed, and the risk of further PHI disclosures. When conducting a risk assessment, the following information must be determined:
- The nature of the breach
- The individual who viewed or accessed the PHI
- The types of information compromised
- The patients potentially affected by the breach
- To whom the information has been disclosed
- The probability of re-disclosure of information
- If PHI was indeed accessed or viewed
- The extent to which risk has been mitigated
After the risk assessment, steps must be taken to manage risks and reduce them to a reasonable level. The HIPAA Breach Notification Rule requires the issuance of notifications, but not all breaches must be reported. The following cases of accidental HIPAA violations are exempted from the Breach Notification Rule:
- When a healthcare employee unintentionally acquired, accessed or used PHI in good faith while acting under the authority of the covered entity or business associate. For example, a physician accessed the medical records of a patient in error, and immediately exited the electronic health record or replaced the chart when it became clear that the wrong patient’s record had been accessed.
- When an authorized person inadvertently discloses PHI to another authorized person at the covered entity or business associate. For example, the medical information of a patient is sent to another person authorized to access it, but the PHI of a different patient instead.
- When the covered entity or business associate acted in good faith believes that the person to whom PHI was impermissibly disclosed did not retain the information. For example, a physician gives a medical chart or X-ray films to an unauthorized person. When he realizes the mistake, he retrieves the information before the PHI was viewed.
Breach notifications are not required in the three cases mentioned above, but any member of staff who violates HIPAA must report the breach to their HIPAA Officer to allow that individual to assess each violation and determine what actions need to be taken.
Other examples of accidental HIPAA violations include the following:
USB flash drives that are lost or stolen can be considered unintentional HIPAA violations because the USB flash drives were not intentionally lost or stolen. These HIPAA violations are reportable incidents. The loss and theft of portable electronic devices is foreseeable, and the potential breach of ePHI could have been avoided had measures such as encryption been implemented.
Social media posts are a potential minefield of accidental HIPAA violations, as medical technician Olivia O’ Leary discovered. She was dismissed from her job at Onslow Memorial Hospital in Jacksonville, NC due to her comments on a Facebook post. She had seen an article about a road traffic accident victim and commented on the post saying the victim should have worn a seatbelt. In a subsequent comment in response to her first, she said she had been working that day and had seen the DOA patient arrive in the ER. The comments were meant to highlight the danger of not wearing a seatbelt, but violated the HIPAA Privacy Rule.
Raleigh Orthopedic Clinic in North Carolina paid a fine of $750,000 that was imposed for contracting an outside vendor to convert X-ray films to a digital format without a Business Associate Agreement. Without a BAA, the vendor would not necessarily been aware of their responsibilities with respect to the PHI contained in the X-rays. This was a simple, but very costly mistake.
A member of staff at a hospital discussed HIV testing procedures with a patient within earshot of other patients in the waiting room. After the investigation of the incident, computer monitors were put in place, which better protected patient privacy and limited the potential for further accidental disclosures of PHI.
The appropriate response of business associates to an accidental HIPAA violation is detailed in the business associate agreement. When an accidental HIPAA violation occurs, the business associate must report all details of the incident to the covered entity within 60 days of discovering the breach. It is best that the covered entity is informed about the breach as soon as possible.
Accidental HIPAA Violations: FAQ
What is the difference between an accidental and incidental HIPAA violation?
Accidental HIPAA violations are often the result of carelessness, human error, or ignorance. They can include sending emails to the incorrect recipients, leaving files containing PHI on desks in the view of the public, or making posts on social media. Incidental violations, by contrast, occur despite the fact that reasonable efforts have been made to prevent them. For example, if two nurses go into a private room to discuss patient care, and another nurse enters the room and overhears part of the conversation, that would constitute an incidental violation. Incidental violations are usually more limited in scope.
Do patients need to be notified about accidental HIPAA violations?
This will depend on the nature of the breach. If more than 500 patients are affected, the CE or BA must notify the Department for Health and Human Services within 60 days of noticing the breach. A prominent media source in the relevant state must also be notified.
If fewer than 500 individuals were affected, each patient whose privacy was violated should be notified within 60 days of discovery of the breach.
What is a HIPAA Officer?
Though it is not required under HIPAA, many covered entities will choose to appoint a HIPAA Officer that oversees the implementation of HIPAA Rules within the organization. In large healthcare providers, there may be separate officers; one whose duty it is to enforce the HIPAA Privacy Rule, and one for the HIPAA Security Rule. If a breach has occurred, the HIPAA Officer (or, specifically, the HIPAA Privacy Officer), should be notified.
Can employees lose their jobs for accidental HIPAA breaches?
Whether an employee will lose their job for accidentally violating HIPAA will depend on a variety of factors. HIPAA does not stipulate what penalties should be in place for employees, though it is likely that a workplace will have its own policies. If a violation is minor and the result of genuine human error, the covered entity or business associate may insist on extra training for the erroneous employee. However, if the employee regularly makes mistakes, or the violation results in major HIPAA breaches, they may choose to terminate the employment contract.