What you should do if accused of a HIPAA violation depends on who you are, who is accusing you, and the nature of the violation you are being accused of. Consequently, there is no one-size-fits-all answer to what to do if accused of a HIPAA violation.
If a private individual, with no connection to a healthcare organization or healthcare provider, is overheard discussing a neighbor’s heart surgery, and they are accused of a HIPAA violation, what should they do? Nothing, because the private individual is not a covered entity or business associate and therefore not subject to the HIPAA Rules.
However, if a healthcare system is accused by a cybersecurity firm of a HIPAA violation exposing the PHI of thousands of patients, there are a lot of things to do – from establishing the cause and scale of the data breach, to notifying affected individuals and HHS’ Office for Civil Rights, to implementing measures to prevent a repeat of the breach.
Between the two extreme examples, what to do if accused of a HIPAA violation can depend on (for example):
- whether you are a member of a covered entity’s workforce or a covered entity,
- whether the person accusing you has no knowledge of HIPAA or is an inspector from HHS’ Office for Civil Rights, and
- whether the HIPAA violation you are accused of is an impermissible use of PHI or the failure to obtain an acknowledgement of receipt for a Notice of Privacy Practices.
General Guidelines if Accused of a HIPAA Violation
The first thing to do if accused of a HIPAA violation is to determine whether the accusation is justified. To put this guideline into context, more than two-thirds of HIPAA-related complaints to HHS’ Office for Civil Rights are rejected due to the accused party not being subject to the HIPAA Rules or because the event being complained about does not violate HIPAA.
However, if a covered entity is accused of a HIPAA violation by HHS’ Office for Civil Rights, you can be fairly certain the accusation is justified. The agency reviews all complaints on intake, and only seeks further information from a covered entity when there is reason to believe PHI has been used or disclosed impermissibly or a patient has been denied their HIPAA rights.
If an accusation is made by a party other than HHS, it is important to respond to the accuser in a timely fashion with an acknowledgement of the accusation or an explanation of why it is not justified. In some cases – for example, if a healthcare professional is accused of a HIPAA violation by their employer – it may be necessary to seek professional advice before responding to an accusation.
If a justified accusation relates to an impermissible use or disclosure of PHI, or a breach of unsecured ePHI, it is necessary to notify the affected individual(s) as soon as possible and HHS’ Office for Civil Rights within the appropriate timescale. It may also be necessary to arrange for credit monitoring services and identity theft protection depending on what PHI has been exposed.
Responding to an Accusation of Violating HIPAA
There are three possible responses to an accusation of violating HIPAA. An acknowledgement that a violation occurred, an acknowledgement of the accusation which will be further investigated, and an explanation of why the event that led to the accusation does not represent a violation of HIPAA or why the party being accused of a HIPAA violation is not subject to the HIPAA Rules.
In the first instance, an acknowledgement that a violation occurred should include an apology (if responding to an individual or employer) and a reassurance that steps have been taken to prevent the violation re-occurring. In the event of a business associate responding to an accusation made by a covered entity, it may be necessary to provide evidence of what steps have been taken.
When acknowledging an accusation and saying it will be further investigated, the investigation needs to be conducted without delay and the accuser kept up to date with the investigation’s progress and its eventual resolution. Putting the accusation aside and hoping it will go away could result in the accusation being escalated to HHS’ Office of Civil Rights or a State Attorney General.
The final possible response is the easiest to get wrong. If an individual has made an accusation of a HIPAA violation when one has not occurred, or when the accused party is not subject to the HIPAA Rules, this needs to be explained in terminology the accuser will understand. Any misunderstanding of the facts could lead to an organization’s reputation being unjustifiable damaged on social media.
Actions to Take to Prevent Further Accusations
The actions to take to prevent further accusations depend on the nature of the original accusation. Therefore it may be necessary for a covered entity to review its privacy policies and procedures, a business associate to assess its technology safeguards and the way they are configured, or for members of the workforce to undergo refresher HIPAA training.
If a member of a covered entity’s workforce has violated HIPAA by not complying with the organization’s policies, the covered entity should apply sanctions according to its sanctions policy. Even if the violation and the sanctions are relatively minor – for example, a verbal warning and training – it is important all members of the workforce are aware that sanctions have been applied.
As mentioned at the beginning of this article, there is no “one-size-fits-all” answer to what to do if accused of a HIPAA violation. Organizations that are unsure of what to do in specific circumstances, how to respond to an accusation, or how to prevent further accusations, should seek professional advice from a compliance expert.