How Should You Respond to an Accidental HIPAA Violation?
The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond?
How Should Employees Report an Accidental HIPAA Violation?
Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer.
Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR).
You should explain that a mistake was made and what has happened. You will need to explain which patient’s records were viewed or disclosed. The failure to report such a breach promptly can turn a simple error into a major incident, one that could result in disciplinary action and potentially, penalties for your employer.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
How Should Covered Entities Respond to an Accidental HIPAA Violation?
Any accidental HIPAA violation must be treated seriously and warrants a risk assessment to determine the probability of PHI having been compromised, the level of risk to individuals whose PHI has potentially been compromised, and the risk of further disclosures of PHI.
The risk assessment should determine:
- The nature of the breach
- The person who viewed or acquired PHI
- The types of information involved
- The patients potentially impacted
- To whom information has been disclosed
- The potential for re-disclosure of information
- Whether PHI was actually acquired or viewed
- The extent to which risk has been mitigated
Following the risk assessment, risk must be managed and reduced to an appropriate and acceptable level. The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) also requires notifications to be issued. Not all breaches of PHI are reportable. There are three exceptions when there has been an accidental HIPAA violation.
1) An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
Example: A fax or email is sent to a member of staff in error. The information is accessed and viewed, but the mistake is realized and the fax is securely destroyed or the email is deleted and no further disclosure is made.
2) An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.
Example: Providing the medical information of a patient to another individual authorized to receive it, but a mistake is made and the information of a different patient is disclosed.
3) If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
Example: A physician gives X-rays films or a medical chart to a person not authorized to view the information, but realizes that a mistake has been made and retrieves the information before it is likely that any PHI has been read and information retained.
In each case, while breach notifications are not required, any member of staff that finds themselves in one of the above situations should still report the incident to their Privacy Officer.
In all other cases when there has been a breach of unsecured PHI, the incident must be reported to OCR within 60 days of the discovery of the breach and individuals impacted by the breach should be notified. HIPAA breach reporting requirements have been summarized here.
Examples of Unintentional HIPAA Violations
Lost or stolen USB flash drives could be considered by some to be examples of unintentional HIPAA violations as nobody intended for the USB flash drives to be lost or stolen. However, the loss or theft could have been reasonably foreseen and potential breaches of ePHI avoided by encryption. The following examples of unintentional HIPAA violations were less foreseeable.
In May 2017, Olivia O´Leary – a twenty-four year old medical technician – claims to have been dismissed from her job at the Onslow Memorial Hospital in Jacksonville, NC, after commenting on a Facebook post. Her warning that the victim of an auto accident should have worn a seat belt was not seen by her employer as a reminder to always wear a seatbelt – O´Leary alleges – but rather as a HIPAA violation.
In April 2016, the Raleigh Orthopedic Clinic in North Carolina was fined $750,000 for contracting an outside vendor to convert X-Ray films to digital form and then allowing the vendor to harvest the silver from the films. The clinic´s error was not having a Business Associate Agreement in place; and, as well as the fine, the clinic had to implement a Corrective Action Plan overseen by OCR.
The Dallas, TX-based dental practice Elite Dental Associates responded to a post by a patient on the Yelp review website. The patient who posted on the site had identified herself as a patient of the practice, but when the practice responded, information was included in the post that revealed her health condition, treatment plan, insurance and cost information. In October 2019 the practice was fined $10,000 for the HIPAA violation.
If an intern requires access to systems containing protected health information and a colleague allows their own credentials to be used, the intern can get the information they need to complete their work tasks. However, the sharing of login credentials is not permitted by HIPAA as it makes it impossible to track information system activity accurately. The sharing of login credentials contributed to a $202,400 financial penalty for the City of New Haven in Connecticut.
The HIPAA Right of Access provision of the HIPAA Privacy Rule gives patients the right to obtain a copy of their health information. There is an exception to this right concerning psychotherapy notes, which should not be provided. Riverside Psychiatric Medical Group received such a request from a patient and did not provide a copy of the requested records. Not providing psychotherapy notes doesn’t violate HIPAA, but failing to respond to the request and notify the patient why the records are not being provided does. In such cases, records can be provided minus the psychotherapy notes. In November 2020, OCR fined the practice $25,000.
In a further example of an unintentional HIPAA violation listed on the OCR´s website, staff were required to undergo HIPAA training when one member of staff discussed HIV testing procedures with a patient in a waiting room – disclosing the patient´s PHI to other patients in the waiting room. After the OCR investigation, computer monitors were also repositioned to prevent the accidental disclosure of PHI.
How Should Business Associates Respond to an Accidental HIPAA Violation?
The correct response to an accidental HIPAA violation should be detailed in your business associate agreement.
HIPAA Rules require all accidental HIPAA violations and data breaches to be reported to the covered entity within 60 days of discovery, although the covered entity should be notified as soon as possible and notification should not be unnecessarily delayed.
Business associates should provide their covered entity with as many details of the accidental HIPAA violation or breach as possible to allow the covered entity to make a determination on the best course of action to take.
HIPAA Compliance Infographics
Accidental HIPAA Violations: FAQs
Why would a report of an accidental HIPAA violation need to be sent to OCR?
A report of an accidental HIPAA violation only needs to be sent to the Department of Health and Human Services´ Office for Civil Rights (OCR) if it results in the unauthorized disclosure of unsecured PHI – for example, an email containing PHI being sent to the wrong patient. An accidental violation of HIPAA that does not result in a data breach does not have to be reported to OCR.
What is an example of an accidental violation of HIPAA that does not need reporting?
Patients must be given the opportunity to object to their religious affiliation being disclosed to members of the clergy. If a patient is not given the opportunity to object, it is a violation of HIPAA. However, if the patient´s religious affiliation is not disclosed to a member of the clergy, no data breach of unsecured PHI has occurred, and it is not necessary to report the violation to OCR.
What is the difference between an accidental disclosure and an incidental disclosure?
An accidental disclosure of PHI is an unintended disclosure – such as sending an email containing PHI to the wrong patient. An incidental disclosure is a by-product of a permissible disclosure – such as a hospital visitor overhearing a discussion about a patient´s healthcare. An incidental disclosure is not considered to be a violation of HIPAA by OCR if the disclosure could not reasonably be prevented, if it was limited in nature, and if it occurs as a result of a disclosure permitted by the Privacy Rule.
What is the “burden of proof” in the Breach Notification Rule?
Prior to the Final Omnibus Rule in 2013, OCR had to prove a data breach resulted in a “significant risk of financial, reputational or other harm for the individual” before taking enforcement action. Since 2013, the burden of proof has shifted to Covered Entities and Business Associates – who can only refrain from reporting a breach if it can be proven there is a low probability PHI has been compromised in the breach (like the three exceptions to accidental HIPAA violations above).
Can OCR issue financial penalties to Business Associates for accidental HIPAA violations?
In May 2019, OCR issued a notice clarifying the circumstances in which a Business Associate is considered to be directly liable for a HIPAA violation; and, although it is hard to conceive how a HIPAA violation by a Business Associate might be accidental in these circumstances, the potential exists for Business Associates to be issued a financial penalty or required to comply with a corrective action plan.