What Happens After an Accidental HIPAA Violation?

Even though most healthcare employees, covered entities, business associates, and others in the healthcare space do their best to always act in compliance with the Health Insurance Portability and Accountability Act, also known as HIPAA, mistakes are sometimes made and this leaves people asking what happens in the case of an accidental HIPAA violation. It is important that staff and stakeholders at all levels are aware of how to handle this to ensure issues are correctly reported and addressed.

How Should Employees Report an Accidental HIPAA Violation?

As we mentioned above, accidents are a part of life despite our best attempts to avoid them. An accidental disclosure of Protected Health Information (PHI) is something that happens when, for example, a staff member erroneously accesses a patient’s records or transfers PHI to the wrong email address or fax number. A crucial, and often first step, is for the employee to contact their Privacy Officer.

It will be up to the Privacy Officer to judge what actions are appropriate in order to minimize risk and prevent harm in so far as possible. Each accidental disclosure should be reviewed. Depending on the nature of the issue, a risk assessment may be required and the Department of Health and Human Services’ Office for Civil Rights (OCR) may need to notified of the breach.

In such a case, the circumstances of the accident should be relayed to the OCR, along with a list of the individuals or different patient records that may have been affected. Failing to report even small breaches is very serious and could lead to much larger issues for both the employee and the employer.

What Should Covered Entities do if There is an Accidental HIPAA Violation?

If an accidental violation is reported to a covered entity, the issue should be dealt with in a serious manner and it is important to review the possible damage resulting from the error. A risk assessment should likely be conducted to evaluate the possibility that PHI was inappropriately accessed, as well as to determine the potential fallout faced by patients whose records may have been accessed by unauthorized individuals. The assessment should also try to reduce the risk of further breaches occurring in the same or a similar manner.

  • The risk assessment should determine:
  • How the breach occurred
  • Who may have who viewed or acquired PHI
  • What information was involved
  • Who was potentially impacted
  • What parties may have gained access to the information
  • The likelihood of the information to be re-disclosed
  • Whether PHI was actually acquired or viewed
  • Whether and by how much the risk has been mitigated

Once the assessment has been completed, procedures or elements should be introduced to mitigate the possibility of further breaches to an appropriate and acceptable level. Depending on the nature of the incident, a breach notification may need to be issued in line with the Breach Notification Rule. This will not be required in every case and so both HIPAA and local state laws should be reviewed to ensure full compliance.