Even when a covered entity or business associate maintains an effective HIPAA compliance program, there are still instances where unintentional HIPAA violations occur. These violations can take various forms, such as an employee accidentally accessing patient records or sending sensitive information to the wrong recipient. This article examines how covered entities and business associates should appropriately respond in case of accidental PHI disclosure or other examples of unintentional HIPAA violations.
How Should Covered Entity Employees Respond to an Accidental Disclosure of PHI?
Members of the workforce of a covered entity should respond to accidental disclosure of PHI by reporting the incident to their organization’s Privacy Officer.
Once the incident is reported to the Privacy Officer, the Privacy Officer must determine what actions need to be taken to mitigate risk, and to reduce the potential for harm. The incident will need to be investigated. A risk assessment should be performed.
How Should the Accidental Disclosure Risk Assessment be Performed?
The risk assessment should be performed for the following reasons:
- To determine the probability of whether PHI has been compromised
- To determine the level of risk to individuals whose PHI may have been compromised
- To determine the risk of further disclosures of PHI
Performing the risk assessment should enable the covered entity to determine:
- The nature of the breach
- The person or persons who viewed or acquired PHI
- The types of PHI and other information involved
- The amount of patients potentially impacted
- To whom (i.e., to what outside entity) information has been disclosed
- The potential for re-disclosure of information
- Whether PHI was actually acquired or viewed
- The extent to which risk has been mitigated
Following the risk assessment, risk must be managed and reduced to an appropriate and acceptable level.
Under the HIPAA Breach Notification Rule, breaches must generally be reported. However, under the rule, there are three “accidental disclosure” exceptions. The three exceptions under which a breach need not be reported are:
- When there has been an unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if the acquisition, access or use:
-
- Was made in good faith; and
- Was made within the scope of authority
An example of this is when a fax is erroneously sent to a member of a covered entity’s staff. The PHI contained in the fax is accessed and viewed, but the HIPAA privacy gap mistake is quickly realized. The fax is then securely destroyed, and no further disclosure is made.
2. When there has been an inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate, to another person authorized to access PHI at the covered entity or business associate.
An example of this is when an authorized individual provides the medical information of a patient to another authorized individual, but a mistake is made and the information of a different patient ends up being disclosed instead.
3. When the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain that information.
An example of this occurs when a doctor gives a medical chart to a person who is not authorized to view the information in the chart. The doctor then realizes that a mistake has been made, and retrieves the information before it is likely that any PHI has been read and information retained.
Note that in each of the above three cases, while breach notifications are not required, staff members must nonetheless still report the incident to the Privacy Officer.
When Can an Accidental Disclosure of PHI Result in a Fine?
If an accidental disclosure does not fall within one of the three above exceptions, the business associate or covered entity must report the breach to OCR within 60 days of discovery.
In all other cases when there has been a breach of unsecured PHI, the incident must be reported by an individual to OCR within 60 days of the discovery of the breach. The business associate must report the breach to the covered entity within 60 days of disclosure.
Generally, an entity can be fined for a breach if the cause of the breach was failure to implement or maintain a required privacy or security measure.
How Should Business Associates Respond to an Accidental HIPAA Violation?
The business associate agreement should contain specific language as to how to properly respond to an accidental disclosure. The response procedure should be followed if and when an accidental disclosure is made. Under the HIPAA Breach Notification Rule, a business associate must report all accidental HIPAA violations and data breaches to the covered entity within 60 days of discovery. As a practical matter, the business associate should notify the covered entity as soon as possible.
When a business associate reports accidental HIPAA violations and data breaches to the covered entity, the business associate should provide as many details of the accidental disclosure of PHI or breach as possible. Doing so will allow the covered entity to make an informed determination as to the best course of action to take.