How Should You Respond to an Accidental HIPAA Violation?

How you should respond to an accidental HIPAA violation depends on the nature of the accidental violation and the potential consequences. Examples of accidental HIPAA violations that would require different responses because of their nature and/or potential consequences include:

• Sending a single email containing PHI to the wrong recipient.
• Sending 1,000 emails containing PHI to the wrong recipients.
• Unknowing use of shadow IT for storing PHI without a BAA.
• Unknowing use of shadow IT for storing PHI insecurely.
• Failing to obtain an authorization before disclosing SUD records.
• Disclosing more than the minimum necessary PHI for a permitted use.
• Allowing a colleague to use login credentials under supervision.
• Sharing login credentials with multiple colleagues with no supervision.

In this article we outline what exactly to do when there is an accidental HIPAA violation.

You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full HIPAA compliance. Use any form on this page to arrange for your copy of the checklist.

How Should Employees Report an Accidental HIPAA Violation?

Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, if an email containing PHI is sent to the wrong person, or if any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer.

The first thing a Privacy Officer should determine is whether the accidental HIPAA violation is indeed a HIPAA violation or a violation of the organization´s policies. For example, forgetting to document a patient´s agreement to be included in a hospital directory is not a violation of HIPAA but could be a violation of the hospital´s policies.

If the accidental violation is indeed a violation of HIPAA, the Privacy Office will need to determine whether or not the violation constitutes an impermissible use or disclosure which qualifies as a breach of unsecured PHI.

If so, the Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a HIPAA risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR) and the affected individual.

You should explain that a mistake was made and what has happened. You will need to explain which patient’s records were viewed or disclosed. The failure to report such a breach promptly can turn a simple error into a major incident, one that could result in disciplinary action and potentially, penalties for your employer.

How Should Covered Entities Respond to an Accidental HIPAA Violation?

Any accidental HIPAA violation that may qualify as a data breach must be treated seriously and warrants a risk assessment to determine the probability of PHI having been compromised, the level of risk to individuals whose PHI has potentially been compromised, and the risk of further disclosures of PHI.

The risk assessment should determine:

• The nature of the breach
• The person who viewed or acquired PHI
• The types of information involved
• The patients potentially impacted
• To whom information has been disclosed
• The potential for re-disclosure of information
• Whether PHI was actually acquired or viewed
• The extent to which risk has been mitigated

Following the risk assessment, risk must be managed and reduced to an appropriate and acceptable level. The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) also requires notifications to be issued. Not all breaches of PHI are reportable. There are three exceptions when there has been an accidental HIPAA violation.

1) An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. 

Example: A fax or email is sent to a member of staff in error. The information is accessed and viewed, but the mistake is realized and the fax is securely destroyed or the email is deleted and no further disclosure is made.

2) An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.

Example: Providing the medical information of a patient to another individual authorized to receive it, but a mistake is made and the information of a different patient is disclosed.

3) If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Example: A physician gives X-ray films or a medical chart to a person not authorized to view the information but realizes that a mistake has been made and retrieves the information before it is likely that any PHI has been read and information retained.

In each case, while breach notifications are not required, any member of staff who finds themselves in one of the above situations should still report the incident to their Privacy Officer.

In all other cases when there has been a breach of unsecured PHI, the incident must be reported to OCR, and individuals impacted by the breach should be notified within 60 days of the discovery of the breach.

Examples of Unintentional HIPAA Violations

Lost or stolen USB flash drives could be considered by some to be examples of unintentional HIPAA violations as nobody intended for the USB flash drives to be lost or stolen. However, the loss or theft could have been reasonably foreseen and potential breaches of unsecured PHI avoided by encrypting data on the devices. The following examples of unintentional HIPAA violations were less foreseeable.

In 2022, an investigation was conducted by The Markup into the use of third-party tracking technologies on hospital websites, namely a code snippet provided by Meta Platforms called Meta Pixel. The code snippet is used for tracking visitor activity on websites and provides insights into how the website users are accessing the sites. The data provided can be used to improve the website, services, and user experience. The analysis was conducted on the top 100 hospitals in the United States, and one-third were found to have used the code on their websites. The problem? The code was transmitting individually identifiable information to Meta, which could potentially be used to serve Facebook users with targeted advertisements related to their health conditions.

No business associate agreements were in place, no patient authorizations were obtained, and those disclosures were impermissible under HIPAA. The code acted as it should. The problem was where it was added and how it was configured. Several hospitals and health systems accidentally violated HIPAA as a result, including Novant Health, WakeMed Health and Hospitals, and Advocate Aurora Health. Millions of patients of these and other healthcare providers have been affected. The use of the code now is a clear HIPAA violation as OCR has issued guidance on the use of this code and has made it clear that adding it to a website without first obtaining consent from patients or entering into a business associate agreement with the code provider violates HIPAA.

In May 2017, Olivia O’Leary – a twenty-four-year-old medical technician – claimed to have been dismissed from her job at the Onslow Memorial Hospital in Jacksonville, NC, after commenting on a Facebook post. Her warning that the victim of an auto accident should have worn a seat belt was not seen by her employer as a reminder to always wear a seatbelt – as O’Leary alleged – but a HIPAA violation.

In April 2016, the Raleigh Orthopedic Clinic in North Carolina was fined $750,000 for contracting an outside vendor to convert X-ray films to digital form and then allowing the vendor to harvest the silver from the films. The clinic’s error was not having a Business Associate Agreement in place; and, as well as the fine, the clinic had to implement a Corrective Action Plan overseen by OCR.

The Dallas, TX-based dental practice Elite Dental Associates responded to a post by a patient on the Yelp review website. The patient who posted on the site had identified herself as a patient of the practice, but when the practice responded, information was included in the post that revealed her health condition, treatment plan, insurance, and payment information. In October 2019 the practice was fined $10,000 for the HIPAA violation.

If an intern requires access to systems containing protected health information and a colleague allows their own credentials to be used, the intern can get the information they need to complete their work tasks. However, the sharing of login credentials is not permitted by HIPAA as it makes it impossible to track information system activity accurately. The sharing of login credentials contributed to a $202,400 financial penalty for the City of New Haven in Connecticut.

The HIPAA Right of Access provision of the HIPAA Privacy Rule gives patients the right to obtain a copy of their health information. There is an exception to this right concerning psychotherapy notes, which should not be provided. Riverside Psychiatric Medical Group received such a request from a patient and did not provide a copy of the requested records. Not providing psychotherapy notes doesn’t violate HIPAA but failing to respond to the request and notify the patient why the records are not being provided does. In such cases, records can be provided minus the psychotherapy notes. In November 2020, OCR fined the practice $25,000.

In a further example of an unintentional HIPAA violation listed on the OCR’s website, staff were required to undergo HIPAA training due to one member of staff discussing HIV testing procedures with a patient in a waiting room – thus disclosing the patient´s PHI to other patients in the waiting room. After the OCR investigation, computer monitors were also repositioned to prevent the accidental disclosure of PHI.

How Should Business Associates Respond to an Accidental HIPAA Violation?

The correct response to an accidental HIPAA violation should be detailed in your business associate agreement. The HIPAA Rules require all accidental HIPAA violations, security incidents, and breaches of unsecured PHI to be reported to the covered entity within 60 days of discovery – although the covered entity should be notified as soon as possible and notification should not be unnecessarily delayed. Business associates should provide their covered entity with as many details of the accidental HIPAA violation or breach as possible to allow the covered entity to make a determination on the best course of action to take.

Accidental HIPAA Violations: FAQs

Can I get fired for an accidental HIPAA violation?

You can get fired for an accidental HIPAA violation depending on the nature of the violation, its consequences, and the content of your employer´s sanctions policy. If this were to happen, it would most likely be the case you have a history of accidental HIPAA violations and have received prior warnings about what might happen when you next violate HIPAA.

What happens if you accidentally violate HIPAA and nobody notices?

If you accidentally violate HIPAA, and nobody notices, it is still in your best interest to report it. Not only will your report indicate your willingness to be a compliant employee, but the circumstances that led to the accidental violation may have been overlooked in a risk assessment. Your report could help your employer fill a gap in their compliance efforts which – if left unfilled – may lead to further accidental violations with more serious consequences.

What happens if someone accidentally, or unknowingly, violates the Privacy Rule?

It is best to answer the question what happens if someone accidently, or unknowingly violates the Privacy Rule in two parts because they are not the same type of event.

If someone accidentally violates the Privacy Rule – and is aware they have violated the Privacy Rule – it is better for them to admit the error to a supervisor or their Privacy Officer so any potential consequences can be preempted (i.e., a complaint to HHS´ Office for Civil Rights).

If someone unknowingly violates the Privacy Rule, how will they know they have violated the Privacy Rule unless a colleague or a supervisor tells them? If the person finds out later they have accidentally violated the Privacy Rule, the previous answer applies.

Why would a report of an accidental HIPAA violation need to be sent to OCR?

A report of an accidental HIPAA violation would need to be sent to the Department of Health and Human Services´ Office for Civil Rights (OCR) if it results in the unauthorized disclosure of unsecured PHI – for example, an email containing PHI being sent to the wrong patient. An accidental violation of HIPAA that does not result in the disclosure of unsecured PHI does not have to be reported to OCR.

What is an example of an accidental violation of HIPAA that does not need reporting?

An example of an accidental violation of HIPAA that does not need reporting is when a patient is not given the opportunity to object to their religious affiliation being disclosed to a member of the clergy. If a patient is accidently not given the opportunity to object, it is a violation of HIPAA. However, no breach of unsecured PHI has occurred, so it is not necessary to report the violation to OCR.

What is the difference between an accidental disclosure and an incidental disclosure?

The difference between an accidental disclosure and an incidental disclosure is that an accidental disclosure of PHI is an unintended disclosure – such as sending an email containing PHI to the wrong patient. An incidental disclosure is a by-product of a permissible disclosure – such as a hospital visitor overhearing a discussion about a patient’s healthcare. An incidental disclosure is not considered to be a violation of HIPAA by OCR if the disclosure could not reasonably be prevented, if it was limited in nature, and if it occurs as a result of a disclosure permitted by the Privacy Rule.

What is the “burden of proof” in the Breach Notification Rule?

The burden of proof in the Breach Notification Rule relates to which party has the responsibility to prove either a breach has occurred or has not occurred. Prior to the Breach Notification Rule, OCR had to prove a data breach resulted in a “significant risk of financial, reputational or other harm for the individual” before taking enforcement action.

Since the Breach Notification Rule, the burden of proof has shifted to Covered Entities and Business Associates – who can only refrain from reporting a breach if it can be proven there is a low probability PHI has been compromised in the breach.

Can OCR issue financial penalties to Business Associates for accidental HIPAA violations?

OCR can issue financial penalties to Business Associates for accident HIPAA disclosures. In May 2019, OCR issued a notice clarifying the circumstances in which a Business Associate is considered to be directly liable for a HIPAA violation; and, although it is hard to conceive how a HIPAA violation by a Business Associate might be accidental in these circumstances, the potential exists for Business Associates to be issued a financial penalty or required to comply with a corrective action plan.

Does every accidental violation of HIPAA require an assessment and investigation?

Whether or not an accidental violation of HIPAA requires an assessment and investigation depends on the nature of the accidental violation of HIPAA. In most cases, events that result in impermissible disclosures or breaches of unsecured PHI will require an assessment and investigation. However, there are a number of exceptions. For example:

If a Covered Entity accidently discloses PHI relating to individual A to another Covered Entity with whom a treatment relationship exists for individual B, it would not be necessary to conduct an assessment or investigation if the mistake was rectified quickly and there was a good faith belief that information relating to individual A was not read or retained.

What happens if you accidently violate HIPAA?

What happens if you accidently violate HIPAA depends on the nature of the violation and its potential consequences. If you accidentally violated HIPAA, realized it immediately, rectified the violation, and reported the violation, it is likely there will be minimal consequences.

However, if knew you had accidently violated HIPAA and tried to disguise it, and the violation resulted in a complaint or notifiable disclosure of unsecured PHI, the likelihood is your employer will not look upon your actions favorably and you will be punished according to the sanctions available in your employer´s sanctions policy.

What would be an appropriate sanction for an accidental disclosure of PHI?

The appropriate sanction for an accidental disclosure of PHI depends on the circumstances of the accidental disclosure, the consequences of the accidental disclosure, and the previous compliance history of the individual. Appropriate sanctions could range from a verbal warning and refresher training to termination of employment.

Is an accidental breach of confidentiality the same as an accidental HIPAA violation?

Whether or not an accidental breach of confidentiality is the same as an accidental HIPAA violation depends on the nature of the confidential information disclosed, who the disclosure was made by, and who to. If an accidental breach of confidentiality does not contain PHI, is not made by a member of a Covered Entity’s workforce, or is made to somebody authorized to receive it, the event is not a HIPAA violation.

If medical information is sent to the wrong person by mistake, does this count as a HIPAA accidental disclosure?

If medical information is sent to the wrong person by mistake, it only counts as a HIPAA accidental disclosure if the sender of the medical information is a member of a Covered Entity´s workforce. If the sender is not a member of a Covered Entity´s workforce, they are not subject to the HIPAA Rules. However, although this may not be a HIPAA accidental violation, it may count as an accidental violation of state privacy rules.

If a colleague has accidentally violated HIPAA, but has not reported it, what should I do?

If a colleague has accidentally violated HIPAA, but not reported it, your first course of action should be to speak with the colleague. It may be possible they were unaware they had accidentally violated HIPAA or they may have some other reasons for not reporting the violation. Giving them the opportunity to report the event first reduces the risk of your relationship being damaged.

If, after speaking with your colleague, they fail to report the HIPAA violation, you should speak with your supervisor or report the event to your organization’s Privacy Officer. Most organizations facilitate anonymous reporting of HIPAA violations; so, if you are concerned about the future relationship with your colleague, this may be an option for you.

How should I report a breach of patient confidentiality?

There are several ways to report a breach of patient confidentiality depending on who was responsible for the breach and whether you are the patient whose confidentiality has been breached (or a personal representative of the patient) or a member of a Covered Entities workforce.

If the breach was due to a member of a Covered Entity´s workforce disclosing Protected Health Information – and you are the patient, the patient’s personal representative – a report can be made to the Covered Entity´s Privacy Officer, your state Attorney General, or the Department of Health and Human Services´ Office for Civil Rights.

If you are a member of a Covered Entity’s workforce – and you were responsible for the breach – you should report it to your Privacy Officer. If you are a member of a Covered Entity´s workforce who witnessed the breach, you may want to speak with the individual responsible for the breach before reporting it to the Privacy Officer to give them an opportunity to report it themselves.

If the breach was made by an individual not covered by HIPAA, you can still complain to the individual’s employer and/or your state Attorney General if the breach occurred in a state that has adopted privacy regulations similar to HIPAA. Other federal laws and state regulations may apply depending on the nature of the confidential information disclosed without authorization.

Where can I find examples of accidental HIPAA violations?

One of the best places to find examples of accidental HIPAA violations is HHS´ Breach Portal. Practically every breach in the “Laptop” or “Other Portable Electronic Devices” categories relates to a stolen or lost device. Although all of these breaches were avoidable had the data on the devices been encrypted, each theft, loss, or other adverse event can be described as accidental.

If you receive a fax that is labeled confidential and was intended for another number, what should you do?

If you receive a fax that is labeled confidential and was intended for another number, what you should do is contact the sender of the fax and inform them of the mistake. The fax you have received in error should be destroyed without delay. If the sender of the fax is a member of a Covered Entity´s workforce and the fax contains PHI, you should also inform them that the fax has been destroyed so they can make an informed decision as to whether the error constitutes a reportable HIPAA violation.

In the event a patient tells you their privacy has been violated, who should you contact?

In the event a patient tells you their privacy has been violated, the person you should contact depends on how their privacy has been violated, who violated their privacy, and your relationship with the patient.

While any complaint about a privacy violation should be flagged to management, if the patient´s privacy has been violated by a member of a Covered Entity´s workforce and involves an impermissible disclosure of PHI, you should contact the organization´s HIPAA Privacy Officer.

What should you do if you violate HIPAA accidentally?

If you violate HIPAA accidentally, assuming you are a member of a Covered Entity’s workforce, you should report the violation to your HIPAA Privacy Officer. Your HIPAA Privacy Officer has the responsibility to decide what happens next in terms of mitigating the consequences of the violation and whether the accidental HIPAA violation justifies a sanction.

In circumstances where an accidental HIPAA violation has the potential to create further harm – for example, if you have disclosed login credentials to a phishing site – you should also inform your supervisor or manager immediately. This can ensure your login credentials are changed quickly to prevent a hacker gaining unauthorized access to a computer network.

Is there such a thing as an intentional but acceptable HIPAA violation?

Generally, there is no such thing as an intentional but acceptable HIPAA violation. However, there have been times in the past when HHS´ Office for Civil Rights has waived enforcement discretion during a natural disaster, emergency, or pandemic. In such circumstances, an intentional HIPAA violation is technically acceptable.

Is an accidental disclosure a HIPAA violation in every case?

An accidental disclosure is not a HIPAA violation in every case. Incidental disclosures that are accidental are permitted by the Privacy Rule if they occur as a by-product of another permissible disclosure “provided the Covered Entity has applied reasonable safeguards and implemented the minimum necessary standard where applicable with respect to the primary disclosure”.

How should a member of a Covered Entity´s workforce handle a HIPAA violation?

A member of a Covered Entity´s workforce should handle a HIPAA violation by reporting it to their HIPAA Privacy Manager unless there is an immediate risk of further disclosure due to (for example) login credentials being compromised. In the latter case, a member of a Covered Entity´s workforce should contact the most appropriate manager to mitigate the risk.

If the HIPAA violation is ongoing or institutionalized, and the Privacy Officer fails to resolve the violation, members of a Covered Entity’s workforce can make a complaint to HHS´ Office for Civil Rights. Although it is not possible to file a complaint anonymously, Covered Entities are prohibited from taking retaliatory action against staff that file complaints with HHS.

What happens if you accidentally break HIPAA rules?

If you accidentally break HIPAA rules, the consequences depend on how the rules were broken, what the outcome was, and your previous compliance history. For example, if this is the first time you have broken a HIPAA rule, the offence was minor, and little harm resulted, you will likely be given a written warning and/or be required to take refresher training.

If you accidentally broke HIPAA rules due to thoughtlessness, your actions resulted in a breach of unsecured PHI, and you had previously received a written warning about your conduct, it is more likely your employment will be terminated. Ultimately, what happens if you accidentally break HIPAA rules depends on the content of your employer´s sanctions policy.

What do you do if you suspect PHI has been used or disclosed for an unauthorized purpose?

If you suspect PHI has been used or disclosed for an unauthorized purpose, you should report your suspicions to your HIPAA Privacy Officer. If your Privacy Officer fails to investigate your suspicions, you should file a complaint with HHS´ Office for Civil Rights – providing the agency with as much information as possible about how you suspect PHI is being used or disclosed in violation of the Privacy Rule.

Should all instances of incidental disclosures be reported?

Instances of incidental disclosures do not have to be reported when they are a by-product of a permissible disclosure. However, incidental disclosures of any other type are reportable events – even when they are accidental violations of HIPAA. If you are unsure about what is permissible and what is not, you should seek clarification from your HIPAA Privacy Officer.

Is it a reportable HIPAA violation when lost medical records are found?

It is a reportable HIPAA violation when lost medical records are found unless it can be demonstrated by way of a risk assessment there is a low probability of the medical records being compromised (accessed, viewed, or amended) and, if so, of being further disclosed. If the HIPAA violation is not reported (to HHS´ Office for Civil Rights and the subjects of the medical records), the risk assessment has to be maintained for a minimum of six years.

Is the inadvertent destruction of customer PHI a HIPAA violation?

The inadvertent destruction of customer PHI can be a HIPAA violation depending on the circumstances in which it was destroyed. HIPAA does not stipulate retention times for PHI because this is determined by each state. However, if customer PHI has been destructed due a failure to comply with a HIPAA standard, this does constitute a HIPAA violation.