Although almost every healthcare organization tries to be fully HIPAA-Compliant and keep up with all standards and rules, nobody is immune to accidental HIPAA violations. The human factor plays the main role in such situations. So, there are no guarantees that everything will go smoothly all the time. It is necessary to know how to be on the safe side and act in case of accidental HIPAA violation.
Employees’ Actions After an Accidental HIPAA Violation
First of all, it is necessary to remember that incidents can be various. An employee can accidentally look through a patient’s ePHI or send it to the wrong recipient, etc. Anyway, a staff member should report all mistakes immediately to the Privacy Officer. It is the HIPAA Privacy Officer’s responsibility to determine further actions after a HIPAA violation to minimize possible risks.
An accident should be studied. The officer must estimate dangers. And finally, the Privacy Officer has to report the breach to the Department of Health and Human Services’ Office for Civil Rights (OCR). A responsible employee should provide a full explanation of what kind of information was disclosed or reviewed, in what way, and to whom did that PHI belong. If an organization doesn’t report on the violation in time, it can turn a small issue into a huge problem. It can pull the disciplinary measures or fees on the guilty employee.
Covered Entities (CEs) Actions After an Accidental HIPAA Violation
Covered entities shouldn’t neglect accidental HIPAA violations and make an analysis of risks to determine the chance of PHI compromise, and a risk pitch for individuals. It is also necessary to identify whose PHI was disclosed, and the chance of accident repetition. The analysis of risks should include information about the type of the breach, the person viewing or obtaining the PHI, the type of data and its owner, and to whom an employee revealed the information. Also, it should contain the level of risk reduction and the chance of actually getting and reviewing PHI.
After analyzing the risks, a CE should manage risks and reduce them to the appropriate level. The HIPAA Breach Notification Rule also demands sending notifications and alerts in case of breaches. But there’s no need to inform about all violations.
There are three types of situations when it is not necessary to inform about accidental HIPAA violations:
- If an employee, who acted under a covered entity (CE) or business associate (BA) management, unintentionally accessed, obtained, or used PHI in a well-meaning way. For example, it can happen when an en employee sent an email or fax to another employee by a mistake. The information is viewed, but the error is recognized. An employee should delete the email or destroy the fax to avoid future disclosures.
- Undeliberate disclosure of PHI by an individual empowered to access PHI at a covered entity or business associate to another individual empowered to access PHI at a covered entity or business associate. Or it also can be an organized medical treatment, in which the covered entity took part. For example, when a responsible person provides the PHI of a patient to another empowered person. So, the person discloses the PHI of another patient by an accident.
- If a CE or BA has an honest and reasonable belief, that an unempowered individual, who has got an unacceptable disclosure of PHI, isn’t able to keep it secret. For example, it takes place when a healthcare representative shares medical records with an individual, who doesn’t have a right to possess information. But then a therapist realizes the issue and gets information before the possible data disclosure.
These types of violations shouldn’t be notified. But an employee who falls into such a situation should report to the Privacy Officer immediately anyway. In other cases, a staff member should report HIPAA violations within 60 days after discovery. A worker should also inform individuals who suffered from the breach.
The Scenario for Business Associates (BAs)
The Business Associate Agreement has to point out all measures to take. As we’ve mentioned before, a responsible employee should account for every occasional HIPAA violation and breach within 60 days. Albeit, a worker should inform CEs as soon as possible. And alerts shouldn’t be unreasonably detained.
BAs should provide to the greatest extent possible details of an occasional HIPAA violation or breach. It is to allow the covered entity to make a decision regarding the best further measures to take.
If you still have questions about accidental HIPAA violations, feel free to contact us 🙂
