The HIPAA Rules must be followed by HIPAA covered entities, business associates and all healthcare employees. What happens if the HIPAA Rules are accidentally violated? What should be the proper response of healthcare employees, covered entities and business associates?
Whether a healthcare employee accidentally viewed a patient’s records or sent a fax or email containing PHI to the wrong recipient, these accidental exposures of PHI must be reported to the HIPAA Officer. It is the HIPAA Officer’s duty to determine what actions must be taken to reduce the risk of harm to individuals whose privacy has been violated.
The following actions need to be taken in the event of an accidental HIPAA violation:
- Investigate the incident
- Conduct a risk assessment
- Provide further training, as appropriate, to the individual(s) responsible for the violation
Depending on the outcome of the risk assessment, the following may be required:
- Notify the individual(s) whose privacy was violated
- Report the breach to the Department of Health and Human Services’ Office for Civil Rights (OCR)
When reporting a breach, the HIPAA Officer must include an explanation of the mistake that occurred, the steps taken in response to the breach, and the number of patient records that were viewed or disclosed. Breaches of 500 or more records must be reported to OCR within 60 days of the discovery of the breach, with smaller breaches reported no later than 60 days from the end of the calendar year in which the breach was discovered. Affected patients must be notified without unnecessary delay, and no later than 60 days from the discovery of the privacy violation.
Covered entities must treat any accidental HIPAA violation seriously. A risk assessment must be conducted to determine the probability of PHI exposure, the level of risk to individuals whose PHI was exposed, and the risk of further PHI disclosures. When conducting a risk assessment, the following information must be determined:
- The nature of the breach
- The individual who viewed or accessed the PHI
- The types of information compromised
- The patients potentially affected by the breach
- To whom the information has been disclosed
- The probability of re-disclosure of information
- If PHI was indeed accessed or viewed
- The extent to which risk has been mitigated
After the risk assessment, steps must be taken to manage risks and reduce them to a reasonable level. The HIPAA Breach Notification Rule requires the issuance of notifications, but not all breaches must be reported. The following cases of accidental HIPAA violations are exempted from the Breach Notification Rule:
- When a healthcare employee unintentionally acquired, accessed or used PHI in good faith while acting under the authority of the covered entity or business associate. For example, a physician accessed the medical records of a patient in error, and immediately exited the electronic health record or replaced the chart when it became clear that the wrong patient’s record had been accessed.
- When an authorized person inadvertently discloses PHI to another authorized person at the covered entity or business associate. For example, the medical information of a patient is sent to another person authorized to access it, but the PHI of a different patient instead.
- When the covered entity or business associate acted in good faith believes that the person to whom PHI was impermissibly disclosed did not retain the information. For example, a physician gives a medical chart or X-ray films to an unauthorized person. When he realizes the mistake, he retrieves the information before the PHI was viewed.
Breach notifications are not required in the three cases mentioned above, but any member of staff who violates HIPAA must report the breach to their HIPAA Officer to allow that individual to assess each violation and determine what actions need to be taken.
Other examples of accidental HIPAA violations include the following:
USB flash drives that are lost or stolen can be considered unintentional HIPAA violations because the USB flash drives were not intentionally lost or stolen. These HIPAA violations are reportable incidents. The loss and theft of portable electronic devices is foreseeable, and the potential breach of ePHI could have been avoided had measures such as encryption been implemented.
Social media posts are a potential minefield of accidental HIPAA violations, as medical technician Olivia O’ Leary discovered. She was dismissed from her job at Onslow Memorial Hospital in Jacksonville, NC due to her comments on a Facebook post. She had seen an article about a road traffic accident victim and commented on the post saying the victim should have worn a seatbelt. In a subsequent comment in response to her first, she said she had been working that day and had seen the DOA patient arrive in the ER. The comments were meant to highlight the danger of not wearing a seatbelt, but violated the HIPAA Privacy Rule.
Raleigh Orthopedic Clinic in North Carolina paid a fine of $750,000 that was imposed for contracting an outside vendor to convert X-ray films to a digital format without a Business Associate Agreement. Without a BAA, the vendor would not necessarily been aware of their responsibilities with respect to the PHI contained in the X-rays. This was a simple, but very costly mistake.
A member of staff at a hospital discussed HIV testing procedures with a patient within earshot of other patients in the waiting room. After the investigation of the incident, computer monitors were put in place, which better protected patient privacy and limited the potential for further accidental disclosures of PHI.
The appropriate response of business associates to an accidental HIPAA violation is detailed in the business associate agreement. When an accidental HIPAA violation occurs, the business associate must report all details of the incident to the covered entity within 60 days of discovering the breach. It is best that the covered entity is informed about the breach as soon as possible.