What to do Following an Accidental HIPAA Violation
In the event of an accidental HIPAA violation, it is essential to take immediate action to address the situation and minimize potential harm. This involves assessing the breach, containing further exposure, documenting the incident, notifying privacy and security officials, conducting an internal investigation, mitigating harm to affected individuals, reporting the incident as required, reviewing and enhancing policies and training, monitoring and auditing for ongoing compliance, and seeking legal and regulatory guidance if necessary. By following these steps, organizations can demonstrate their commitment to protecting patient privacy, ensure compliance with HIPAA regulations, and prevent similar violations in the future.
HIPAA Accidental Violation Checklist
Here is a checklist of actions to take when an accident HIPAA violation occurs:
- Assess the Situation: Determine the nature and extent of the accidental HIPAA violation. Identify the specific PHI involved, the individuals affected, and the potential risks associated with the breach.
- Contain and Limit Further Exposure: Take immediate steps to stop the unauthorized access or disclosure of PHI. Retrieve any copies or records of the information involved in the violation and ensure that it is no longer accessible to unauthorized individuals.
- Document the Incident: Thoroughly document the details of the accidental HIPAA violation. Include information such as the date, time, individuals involved, description of the breach, and any actions taken to address it. This documentation will be vital for reporting and investigation purposes.
- Notify Privacy and Security Officials: Inform the designated privacy and security officials within your organization about the accidental HIPAA violation. They will guide you through the appropriate steps to handle the incident and ensure compliance with HIPAA regulations.
- Conduct Internal Investigation: Initiate an internal investigation to determine the root cause of the accidental violation. Assess any gaps in policies, procedures, or training that may have contributed to the incident. This investigation will help prevent similar violations in the future.
- Mitigate Potential Harm: Evaluate the potential impact on affected individuals and take necessary steps to mitigate any potential harm. This may involve providing notifications, offering support or credit monitoring services, or taking corrective actions to prevent further breaches.
- Report the Incident: If the violation meets the breach notification requirements outlined by HIPAA, report the incident to the affected individuals, the Department of Health and Human Services (HHS), and potentially other relevant entities as required by law. Timely reporting is essential to comply with HIPAA regulations.
- Review and Enhance Policies and Training: Evaluate your organization’s policies and procedures related to HIPAA compliance. Identify areas for improvement and implement necessary changes to prevent future accidental violations. Provide additional training and education to employees to reinforce proper handling of PHI and raise awareness of the importance of compliance.
- Monitor and Audit: Implement ongoing monitoring and auditing processes to ensure continued compliance with HIPAA regulations. Regularly review security measures, access controls, and training effectiveness to identify any vulnerabilities or areas that require improvement.
- Seek Legal and Regulatory Guidance: If necessary, consult legal counsel and regulatory experts to navigate the appropriate steps following an accidental HIPAA violation. They can provide guidance on specific reporting requirements, legal implications, and necessary actions to minimize potential legal ramifications.
How Should Covered Bodies React to an Accidental HIPAA Violation?
Any accidental HIPAA violation must be respected and requires a risk assessment to see if PHI may have been exposed, the level of danger to individuals whose PHI has potentially been compromised, and the risk of more disclosures of PHI.
The risk assessment should ascertain:
- The extent of the breach
- The individual who viewed or acquired PHI
- The sort of information involved
- The patients potentially affected
- To whom information has been shared
- The possibility for re-disclosure of information
- Whether PHI was actually obtained or seen
- The extent to which risk has been limited
After the risk assessment, risk must be managed and minimized to an acceptable level. The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) also requires notifications to be sent out. Not all instance of PHI violations are reportable. There are three exceptions when there has been a HIPAA violation due to an error.
1) An unintentional acquisition, access, or use of PHI by a staff member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
Example: A fax or email is broadcast to a member of staff by mistake. The data is accessed and viewed, but the mistake is realized and the fax is securely destroyed or the email is erased and no further disclosure occurs.
2) An inadvertent disclosure of PHI by an individual authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered body or business associate, or organized health care arrangement in which the covered entity operates in.
Example: Supplying the medical information of a patient to another person authorized to receive it, but a mistake is made and the information of a different patient is shared.
3) If the covered entity or business associate has a good faith belief that the unauthorized individual to whom the impermissible disclosure was made, would not have been able to retain the data.
Example: A physician shares X-rays films or a medical chart with a person not authorized to see the information, but realizes that a mistake has been made and retrieves the information before it is likely that any PHI has been seen and information retained.
In each instance, while breach notifications are not required, any employee that finds themselves in one of the above situations should still report the incident to their company Privacy Officer.
On all other occasions when there has been a breach of unsecured PHI, the incident must be made known to the OCR within 60 days of the identification of the breach and individuals impacted by the breach should be notified.
Unintentional HIPAA Violations Examples
Lost or stolen USB flash drives could be thought of by some to be examples of unintentional HIPAA violations as nobody intended for the USB flash drives to be lost or stolen. However, the loss or theft could have been reasonably predicted and potential breaches of ePHI avoided by encryption. The following examples of unintentional HIPAA violations were less predictable.
In May 2017, Olivia O’Leary (24) – a medical technician – claims to have been fired from her job at the Onslow Memorial Hospital in Jacksonville, NC, after commenting on a Facebook post. Her warning that the victim of an auto accident should have donned a seat belt was not seen by her employer as a reminder to always wear a seatbelt – O’Leary claims – but rather as a HIPAA violation.
In April 2016, the Raleigh Orthopedic Clinic in North Carolina was fined $750,000 for hiring an outside vendor to convert X-Ray films to digital form and then permitting the vendor to harvest the silver from the films. The clinic’s mistake was not having a Business Associate Agreement in place; and, as well as the fine, the clinic had to implement a Corrective Action Plan managed by the OCR.
In a further example of an unintentional HIPAA violation listed on the OCR’s website, staff were required to undergo HIPAA training when one member of staff spoke about HIV testing procedures with a patient in a waiting room – sharing the patient’s PHI to other patients in the waiting room. Following the OCR investigation, computer monitors were also repositioned to stop the accidental disclosure of PHI.
How Should Business Associates React Following an Accidental HIPAA Violation?
The proper response to an accidental HIPAA violation should be outlined in your business associate agreement.
HIPAA Rules require all accidental HIPAA breaches be reported to the covered body within 60 days of discovery, although the covered body should be alerted as soon as possible and notification should not be unnecessarily slowed down.
Business associates should supply their covered entity with as many details of the accidental HIPAA violation or breach as they can so that the covered entity can make a determination on the best course of action to implement.