Share this article on:
What you should do if accused of a HIPAA violation can depend on what your role is, who is making the accusation, and what their role is. Whatever the circumstances, it is important that you do not ignore the accusation; and, if in any doubt about its validity, seek advice.
Individuals and organizations can be accused of a HIPAA violation in multiple circumstances. For example, a trainee nurse could be advised by a senior colleague that something they have unwittingly done is a violation of HIPAA, an IT Department could be alerted to software violating HIPAA by a HIPAA Security Officer, or a Covered Entity could be accused of a HIPAA violation by a patient who has been unable to obtain a copy of their PHI in a timely manner.
Further accusations of HIPAA violations can originate from reliable sources such as HHS´ Office for Civil Rights, or from unreliable sources such as a blog post written by an author who does not understand what HIPAA is or who it applies to. Indeed, misinformation about HIPAA can sometimes result in false accusations of HIPAA violations. Nonetheless, in every circumstance, it is important the accusation is responded to, resolved, and documented as quickly as possible.
How to Respond to an Accusation of a HIPAA Violation
In the same way as individuals and organizations can be accused of a HIPAA violation in multiple circumstances, there are multiple ways to respond depending on the alleged nature of the violation. For example, returning to the student nurse, if the student nurse has disclosed more than the minimum necessary PHI, but no harm has been done, all that needs to happen is that the student nurse learns from the accusation and does not repeat the violation.
If, however, the student nurse has posted the image of a patient on social media, this is likely to be a sanctionable violation and escalated to a higher authority. The student nurse needs to remove the image, advise the higher authority that it has been removed, and ensure the conversation with the higher authority is documented in order to mitigate whatever sanctions will be imposed – the sanctions being appropriate to whatever privacy training the student nurse has received.
There are other scenarios as well. A student nurse could be incorrectly accused of a HIPAA violation by a colleague who has since forgotten parts of their training or succumbed to a culture of poor compliance practices. In this circumstance, a student nurse may be uncomfortable correcting a senior colleague and should themselves escalate the incorrect accusation to a higher authority – if only to protect themselves from incorrect accusations in the future.
How to Resolve Accusations of a HIPAA Violation
Similarly, the resolution of an accusation will depend on the nature of the accusation, who it is made against, and the consequences of the violation. If, for example, software implemented by the IT Department is violating HIPAA, it needs to be uninstalled and the issue reported to the software vendor. If the violation has resulted in a breach of unsecured ePHI, the violation also needs to be reported to HHS´ Office for Civil Rights either within sixty days or at the end of the year.
When a Covered Entity is be accused of a HIPAA violation by a patient who has been unable to obtain a copy of their PHI in a timely manner, it is important to investigate the reason for the delay or to establish why the patient was not entitled to receive a copy of their PHI. The outcome of the investigation may prompt a change in policies, procedures, or personnel, but it is important the resolution is communicated to the patient to prevent an escalation of the accusation to HHS.
When false accusations of HIPAA violations originate from an unreliable source, the source needs to be informed of their error as quickly as possible. Not only should the accusation be retracted, but the Covered Entity or Business Associate against whom the accusation is made might need to run a media campaign to reverse any reputational damage caused by the accusation. Civil action is also an option, but this may create more bad publicity than good.
How to Prevent being Accused of a HIPAA Violation
There are also several ways to prevent being accused of a HIPAA violation. Members of a Covered Entity´s or Business Associate´s workforce should ensure they are fully knowledgeable about the HIPAA regulations and how they apply in their roles. This may mean taking responsibility for your own education and not relying on the policy and procedure training or security and awareness training provided by an employer.
Departments within a Covered Entity or Business Associate should liaise with the HIPAA Privacy and/or Security Officer to conduct a risk analysis of any new procedure or technology before it is implemented. In this way, departments that are less familiar with HIPAA than the Privacy/Security Officer can avoid being accused of a HIPAA violation due to a lack of knowledge. Collaboration with a Privacy/Security Office could even improve the new procedure or technology.
Finally, Covered Entities and Business Associates need to ensure all members of their workforces are fully trained on HIPAA policies and procedures and provide periodic refresher training so policies, procedures, and personnel work as they should. Responding to and resolving accusations of HIPAA violations is disruptive, time-consuming, and expensive, so it is better to invest in preventing HIPAA violations rather than waiting until the organization is accused of a HIPAA violation.