Responding To An Unintentional HIPAA Violation

Uploaded on 2022-05-30 in FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-Health & Welfare

Healthcare organisations face numerous challenges protecting patient data, not least compliance with stringent US regulations.

The Healthcare Insurance Portability and Accountability Act (HIPPA) is a US law established to protect sensitive Patient Health Information (PHI) or data. Based on the regulation enforced the healthcare industry including the covered entities, business associates, and healthcare employees is required to focus and prioritise on maintaining the security and privacy of PHI data.

They need to take extra care and ensure that the HIPAA Rules are followed and prevent even the slightest possibility of accidental HIPAA violation.

Further, to set the record straight no accidental or unintentional HIPAA violations are exempted from fines and penalties. So, in case a healthcare employee accidentally views records of a patient or sends the patient’s report to the wrong person or some other kind of accidental disclosure of PHI, then it is essential as per the regulation that the incident is reported to the Privacy Officer and necessary measures are taken to respond to such situations.

Covering more on this in detail, we have in the article shared a few tips on ways to respond to unintentional HIPAA violations. But before that let us first, understand what is considered an unintentional HIPAA Violation. 

What Is Unintentional HIPAA Violation?

Accidental or unintentional disclosure of PHI data can result in HIPAA violations. This can further result in hefty fines and penalties. So, it is important that the covered entities or business associates are aware of what constitutes unintentional HIPAA Violation and establish preventive measures for the same. Also, the organization must be capable enough to respond to such incidents in case of violation. But before getting into the details of responding to an unintentional HIPAA Violation let us first learn what constitutes an unintentional HIPAA Violation. 

Inadvertent Disclosure or Acquisition of Data

For instance, an employee accidentally disclosing the PHI data by sending an email containing the information to the wrong employee is a classic case of Inadvertent Disclosure of PHI data. Sharing the medical information of a patient to another authorised employee or individual having permission to receive it, but by mistake receiving information of different patient’s results in inadvertent disclosure. Such information disclosure leads to a violation of HIPAA Regulations. However, the level of severity of the violation depends on the nature of Unintentional Access and/or Acquisition of Data. For instance, if such disclosure or access, is within the scope of authority for example an email containing ePHI was by mistake shared with a staff member. In this scenario, the error can be quickly rectified by securely destroying or getting the email deleted with no further disclosure of ePHI that could possibly limit the consequences.

Unintentional Access 

Unintentional access to data is somewhat similar to a situation of inadvertent disclosure. So, for instance, an employee has to a co-worker's desktop or laptop and when searching for a file accidentally opening another file for which he has no authorization or permit is an instance of unintentional access to sensitive data and HIPAA Violation. However, since the access was unintentional and no data was shared such violation can be contained and limit the consequences or impact of HIPAA Violation. But since it was viewed by an unauthorized person necessary steps should be taken to ensure that such unintentional access does not lead to any further breach of data. 

Employee Negligence 

Employee negligence is one of the most common human errors that result in HIPAA violations and data breaches. Employee negligence is a broad term when we speak of violation. This could be in terms of setting weak passwords or not changing default passwords to devices comprising sensitive data that can result in a hack or breach. This could even be in the case of an employee speaking to another co-worker about a patient’s case and revealing certain data or unintentionally sharing links or files comprising sensitive data. Such scenarios are often seen as common human errors that result in major HIPAA violations. 

Good Faith Belief 

As mentioned in the earlier example an employee in good faith sharing details of a patient to an unauthorized person who is not permitted to such disclosure or access of information also results in a violation of HIPAA. So, although this comes under the category of violation yet such instances do not need any breach notification. However, such incidents must be known to the organisation's appointed HIPAA Officer. The officer accordingly assesses the incident and determines whether or not they need any measures or a course of action. 

In other instances when there is a violation of HIPAA and breach of data, the incident must be reported to not just the appointed officer within the organisation but also to the Office for Civil Rights (OCR) within 60 days of the data breach discovery. Further, individuals affected due to the breach must also be notified about the breach without any unreasonable delay within 60 days of the data breach discovery. 

How to respond to HIPAA Violation? 

As mentioned earlier, in case of a data breach and HIPAA Violation, based on the severity of the incident the privacy officer must determine the plan of action to be taken to mitigate risk and reduce the potential for harm. As a first step toward responding to HIPAA violation, the officer will need to investigate the incident in terms of the risk exposure, and impact of the breach and report the breach to the Department of Health and Human Services’ Office for Civil Rights (OCR). The report should include details of how the incident occurred, the number of people affected or possibly affected measures taken to limit the impact, etc. Failure to report the breach promptly can result in disciplinary action and potentially also result in high penalties for your employer.

Reporting to the Covered Entity 
HIPAA Rules require that any accidental HIPAA violations and data breaches be reported to the covered entity as early as possible or at least within 60 days of discovery without unnecessarily delay. Business Associates should give their covered entity all the details about the accidental HIPAA violation or breach along with necessary measures taken to mitigate the breach. Based on this report the covered entity can accordingly take the best course of action.

Measures to be taken by Covered Entity 
Although it turns out to be an unintentional HIPAA Violation, yet informing the officer is essential. This is to determine the severity of the violation and the required plan of action to be taken to minimise the risk and reduce the potential impact of the incident. The incident should be reviewed, and a thorough risk assessment should be performed and reported. The importance of reporting breaches, what constitutes a HIPAA breach, and measures to tackle the situation should be covered in the covered entity's employee HIPAA training program and must be accordingly implemented in an incident. 

Company-wide Measures 
Covered entities must keep a detailed record of all HIPAA breaches, including reports of the risk assessment and measures taken in response to the breach. The necessary breach information must be passed on to the relevant staff, customers, and stakeholders affected by the breach. Thereafter necessary security measures should be implemented to fix the gaps and loopholes that resulted in the breach. 

Conclusion 

More than often the HIPAA violations in the healthcare industry is an incident of unintentional violation of the regulation. Although there are exceptions in the Breach Notification rules yet unfortunately most of the violation happens due to mishandling of the PHI data which does not fall under the exception case.

Healthcare organisations need to implement strong and tight security measures including all the parameters of unintentional HIPAA violations to ensure the gaps are fixed appropriately. Without stringent measures and processes in place, the organisation will have to face penalties for HIPAA violations and the consequences of the data breach. In short, organisations will have to cover their bases to ensure they are running a secure and HIPAA-compliant working environment in all aspects of healthcare operations and processes.  

Narendra Sahoo is the Founder and Director of VISTA InfoSec

You Might Also Read: 

How To Prevent Healthcare Data Breaches:

 

« Best Practices For Cyber Security Awareness Training
General Motors Hack Exposes Car Owner Information »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

E-Tech

E-Tech

E-Tech has been providing system support and information technology consulting services including Internet and Network Security assessments.

Fenror7

Fenror7

Fenror7 lowers the TTD (Time To Detection) of hackers, malwares and APTs in enterprises and organizations from 300 days on average to 24 hrs or less.

CTR Secure Services

CTR Secure Services

CTR Secure Services provides a broad range of security consulting services from asset protection to cyber security.

Redborder

Redborder

Redborder is an Open Source network visibility, data analytics, and cybersecurity Big Data solution that is scalable up to the needs of enterprise networks and service providers.

Hunters.AI

Hunters.AI

Hunters is the world's first autonomous hunting solution that leverages top-tier cyber expertise and AI to uncover hidden cyber threats.

Tesorion

Tesorion

Tesorion is a fusion of different enterprises each with its own specialisation in the field of cybersecurity. We have combined these specialisations to create an integrated comprehensive solution.

Forum Systems

Forum Systems

Forum Systems is a global leader in API Security Management with industry-certified, patented, and proven products deployed in the most rigorous and demanding customer environments.

Privakey

Privakey

Transaction Intent Verification. Privakey delivers a secure channel to streamline high risk transactions, enabling digital trust between services and their users.

Pacific Cyber Security Operational Network (PaCSON)

Pacific Cyber Security Operational Network (PaCSON)

PaCSON is an operational cyber security network of regional working-level cyber security experts in the Pacific.

Bastion Technologies

Bastion Technologies

All your cyber defense. One platform. Keep your business assets and employees safe under one roof. Manage your cyber defense quickly, easily & efficiently.

Rampart AI

Rampart AI

Tackling DevSecOps Issues In Application Security. Rampart has revolutionized the shift left security approach, applying zero-trust to application development.

BSS

BSS

BSS is a solutions and services business based in the UK with a focus on Cyber Security, Data, Financial Crime, Internal Audit, Change, Risk and Resilience.

ClearSky Cyber Security

ClearSky Cyber Security

ClearSky cyber security provides cyber solutions, focused on threat intelligence services, mainly for the financial sector, critical infrastructure, public sector and the pharma sector.

Brightside AI

Brightside AI

Brightside AI is a Swiss cybersecurity SaaS that helps teams combat AI-enabled phishing threats. Protect your team today.

TIM Enterprise

TIM Enterprise

TIM Enterprise offers innovative, sustainable and secure 360-degree digital solutions to companies and public administrations.

Information Security Society of Africa – Nigeria (ISSAN)

Information Security Society of Africa – Nigeria (ISSAN)

The Information Security Society of Africa – Nigeria (ISSAN) is a not-for-profit organization dedicated to the protection of Nigeria’s cyberspace.

Utilize

Utilize

Utilize is an award-winning technology company with over 25 years of industry expertise, we support hundreds of businesses across London and the South East.