Almost every HIPAA covered entity, as well as their business associates and the healthcare professionals they employ, does their utmost to guaranteed HIPAA rules are respected – but what happens when an unintentional HIPAA violation occurs? What should covered entities, healthcare employees, and business associates do?
How Should Healthcare Employees Report an Unintended HIPAA Violation?
Despite all precautions, accidents still happen. Should an unauthorized employee view a patient’s record, or a fax be sent to the incorrect number, an email containing protected health information (PHI) be sent to the incorrect address, or some other accidental disclosure of PHI take place, it is vital that the event is noted by the organization’s Privacy Officer.
The Privacy Officer judges the correct procedures to follow in order to reduce risk and minimize potential damage. Incidents should be investigated and there may be a need for a risk assessment study to be carried out. The Department of Health and Human Services’ Office for Civil Rights (OCR) may also need to be given a report of the incident.
The parties involved should explain that an error occurred and the circumstances of how this took place. The relevant patient records which were viewed or disclosed should be identified. Failure to report a breach of this nature runs the risk of creating a major incident out of a simple mistake, an incident which could result in disciplinary measures for the individual, and even sanctions for the employer.
How Should Covered Entities Respond to an Unintended HIPAA Violation?
All unintentional HIPAA violations should be treated seriously and require risk assessments to evaluate the potential that PHI was compromised; what risk may be faced by those whose PHI may have been compromised; and the risk of future breaches occurring.
The risk assessment should determine:
- The breach’s nature
- The kind of information involved
- If PHI was viewed or acquired
- Who saw or came into possession of the information
- The parties to whom information may have been disclosed
- Patients potentially affected
- Whether the information risks being re-disclosed
- If the risk has been mitigated and to what degree
Once the assessment is complete, the risk must be reduced to an acceptable level and managed. Notifications must also be issued, as per the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414). Not all PHI breaches are reportable. Three exceptions to notification exist when there has been an involuntary HIPAA violation:
- An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
Example: A fax or email is sent to a member of staff in error. The information is accessed and viewed, but the mistake is realized and the fax is securely destroyed or the email is deleted and no further disclosure is made. - An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.
Example: Providing the medical information of a patient to another individual authorized to receive it, but a mistake is made and the information of the wrong patient is disclosed. - If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
Example: A physician gives X-rays films or a medical chart to a person not authorized to view the information, but realizes that a mistake has been made and retrieves the information before it is likely that any PHI has been read and information retained.
In cases such as these, while they do not require breach notifications, members of staff that find themselves in such a situation should still notify their Privacy Officer of the incident.
In all other cases where a PHI breach has occurred, OCR must be informed of the incident within 60 days and affected individuals should be notified.
How Should Business Associates Respond to an Unintentional HIPAA Violation?
Business Associate agreements should contain the correct procedure to follow if an accidental HIPAA violation occurs.
HIPAA Regulations state that all accidental violations of HIPAA be reported to the covered entity within 60 days of discovery, keeping in mind that notification should be sent as soon as possible and no unnecessary delay should impede notification. Covered entities should receive as much detail as possible from their business associate in the case of an accidental HIPAA breach or violation so that they can plan their response and how to deal with the event.