Accidents or mistakes are bound to happen. Even if healthcare providers and business associates are compliant to HIPAA Standards, there is always a possibility of unintentional or accidental disclosure of Protected Health Information (PHI). Accidental disclosure of PHI includes sending an email to the wrong recipient and an employee accidentally viewing a patient’s report, which leads to an unintentional HIPAA violation. In this article, we will cover how healthcare providers, employees and business associates should respond in the event of an accidental PHI disclosure.
How should employees respond to an unintended HIPAA violation?
Despite every precaution taken, accidents can and do still happen. In the event that an unauthorized employee gets access to a patient record, sends an email or fax to the wrong recipient or produces any other form of accidental disclosure of PHI, they must make sure that the event is reported to the concerned authority immediately. It’s then point that the authority’s Privacy Officer can analyze the incident and suggest corrective measures/relevant procedures to reduce the potential damage. Incidents should be investigated, and risk assessments should be carried out. Further, the Department of Health and Human Services’ Office for Civil Rights (OCR) should receive a report about the incident that includes an account of what happened from the party involved. Moreover, they should identify the relevant patient records which were disclosed. Failure to report such a breach could result in a more serious security incident as well as disciplinary action against both the employee and the employer.
How should covered entities respond to an unintended HIPAA violation?
Accidental HIPAA violations should be taken seriously and necessitate risk assessments that evaluate the level of compromise. The risk assessment should help to determine the following:
- The nature of the breach,
- The potential risk involved due to the breach,
- The risk of reoccurrence,
- The kind of information accessed as well as whether the PHI information was acquired or just viewed,
- Details of the person having possession of the information,
- Information about parties to whom the information was disclosed,
- Data about the patient potentially affected, and
- Verification as to whether the risk is mitigated and to what degree it is mitigated.
Once the risk is identified, it should be reduced to an acceptable level and managed. It is important to note that the notifications should be issued as per the HIPAA Breach Notification Rule. However, it is also important to note that not all PHI breaches need to be reported. There are exceptions wherein a HIPAA violation may not be disclosed.
- An unintentional acquisition or access of PHI by a member or person within the scope of the authority. For instance, an email sent to the wrong staff member wherein the data was accessed and viewed but in the realization that the mistake was securely deleted with no further disclosure.
- Unintentional disclosure of PHI by a person who is authorized to access PHI of another person who is covered by the participating entity (for instance, providing medical information of a wrong/another patient to other authorized individuals).
- If the covered entity or business associate has faith that the unauthorized person who mistakenly has access to information will not retain the information.
While such cases need not require breach notifications, members who find themselves in these types of situations are expected to notify their Privacy Officer of the incident. Other than the exceptional cases mentioned above where a PHI breach occurs, OCR and the individuals affected must be informed of the incident within 60 days.
How should business associates respond to an unintentional HIPAA violation?
Business associates should inform their covered entity immediately in case of a HIPAA violation. A detailed report on the accidental HIPAA violation or breach should be provided to ensure the covered entity can accordingly determine the best course of action. The business associate agreement should contain all the procedures that need to be followed if an accidental HIPAA violation occurs. The HIPAA regulations clearly state that in case of an accidental HIPAA violation, it should be reported to the covered entity within 60 days of discovery. It is important to note that the notification should be sent as soon as possible without any delays. The covered entities should get every detail of the incident from their business associate to build a plan of action to deal with the event. The best option is to always have the basic processes in place for HIPAA compliance. A stitch in time always saves nine.
About the Author: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec, a foremost Company in the Infosec Industry. He holds more than 25 years of experience in the Information Technology Industry and has expertise in Information Risk Consulting, Assessment, & Compliance services. His company, VISTA InfoSec, has been instrumental in helping top multinational companies achieve compliance in areas such as PCI DSS, PCI PIN, SOC2, GDPR, HIPAA Certification, MAS TRM, PDPA, PDPB to name a few. Mr. Sahoo for his extensive contribution to the industry has also been inducted into the CSI – Hall of Fame for his significant contributions to the fraternity and has also been awarded the “Crest of Honor” by the Indian Navy. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.