Responding To An Unintentional HIPAA Violation

Uploaded on 2022-05-30 in FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-Health & Welfare

Healthcare organisations face numerous challenges protecting patient data, not least compliance with stringent US regulations.

The Healthcare Insurance Portability and Accountability Act (HIPPA) is a US law established to protect sensitive Patient Health Information (PHI) or data. Based on the regulation enforced the healthcare industry including the covered entities, business associates, and healthcare employees is required to focus and prioritise on maintaining the security and privacy of PHI data.

They need to take extra care and ensure that the HIPAA Rules are followed and prevent even the slightest possibility of accidental HIPAA violation.

Further, to set the record straight no accidental or unintentional HIPAA violations are exempted from fines and penalties. So, in case a healthcare employee accidentally views records of a patient or sends the patient’s report to the wrong person or some other kind of accidental disclosure of PHI, then it is essential as per the regulation that the incident is reported to the Privacy Officer and necessary measures are taken to respond to such situations.

Covering more on this in detail, we have in the article shared a few tips on ways to respond to unintentional HIPAA violations. But before that let us first, understand what is considered an unintentional HIPAA Violation. 

What Is Unintentional HIPAA Violation?

Accidental or unintentional disclosure of PHI data can result in HIPAA violations. This can further result in hefty fines and penalties. So, it is important that the covered entities or business associates are aware of what constitutes unintentional HIPAA Violation and establish preventive measures for the same. Also, the organization must be capable enough to respond to such incidents in case of violation. But before getting into the details of responding to an unintentional HIPAA Violation let us first learn what constitutes an unintentional HIPAA Violation. 

Inadvertent Disclosure or Acquisition of Data

For instance, an employee accidentally disclosing the PHI data by sending an email containing the information to the wrong employee is a classic case of Inadvertent Disclosure of PHI data. Sharing the medical information of a patient to another authorised employee or individual having permission to receive it, but by mistake receiving information of different patient’s results in inadvertent disclosure. Such information disclosure leads to a violation of HIPAA Regulations. However, the level of severity of the violation depends on the nature of Unintentional Access and/or Acquisition of Data. For instance, if such disclosure or access, is within the scope of authority for example an email containing ePHI was by mistake shared with a staff member. In this scenario, the error can be quickly rectified by securely destroying or getting the email deleted with no further disclosure of ePHI that could possibly limit the consequences.

Unintentional Access 

Unintentional access to data is somewhat similar to a situation of inadvertent disclosure. So, for instance, an employee has to a co-worker's desktop or laptop and when searching for a file accidentally opening another file for which he has no authorization or permit is an instance of unintentional access to sensitive data and HIPAA Violation. However, since the access was unintentional and no data was shared such violation can be contained and limit the consequences or impact of HIPAA Violation. But since it was viewed by an unauthorized person necessary steps should be taken to ensure that such unintentional access does not lead to any further breach of data. 

Employee Negligence 

Employee negligence is one of the most common human errors that result in HIPAA violations and data breaches. Employee negligence is a broad term when we speak of violation. This could be in terms of setting weak passwords or not changing default passwords to devices comprising sensitive data that can result in a hack or breach. This could even be in the case of an employee speaking to another co-worker about a patient’s case and revealing certain data or unintentionally sharing links or files comprising sensitive data. Such scenarios are often seen as common human errors that result in major HIPAA violations. 

Good Faith Belief 

As mentioned in the earlier example an employee in good faith sharing details of a patient to an unauthorized person who is not permitted to such disclosure or access of information also results in a violation of HIPAA. So, although this comes under the category of violation yet such instances do not need any breach notification. However, such incidents must be known to the organisation's appointed HIPAA Officer. The officer accordingly assesses the incident and determines whether or not they need any measures or a course of action. 

In other instances when there is a violation of HIPAA and breach of data, the incident must be reported to not just the appointed officer within the organisation but also to the Office for Civil Rights (OCR) within 60 days of the data breach discovery. Further, individuals affected due to the breach must also be notified about the breach without any unreasonable delay within 60 days of the data breach discovery. 

How to respond to HIPAA Violation? 

As mentioned earlier, in case of a data breach and HIPAA Violation, based on the severity of the incident the privacy officer must determine the plan of action to be taken to mitigate risk and reduce the potential for harm. As a first step toward responding to HIPAA violation, the officer will need to investigate the incident in terms of the risk exposure, and impact of the breach and report the breach to the Department of Health and Human Services’ Office for Civil Rights (OCR). The report should include details of how the incident occurred, the number of people affected or possibly affected measures taken to limit the impact, etc. Failure to report the breach promptly can result in disciplinary action and potentially also result in high penalties for your employer.

Reporting to the Covered Entity 
HIPAA Rules require that any accidental HIPAA violations and data breaches be reported to the covered entity as early as possible or at least within 60 days of discovery without unnecessarily delay. Business Associates should give their covered entity all the details about the accidental HIPAA violation or breach along with necessary measures taken to mitigate the breach. Based on this report the covered entity can accordingly take the best course of action.

Measures to be taken by Covered Entity 
Although it turns out to be an unintentional HIPAA Violation, yet informing the officer is essential. This is to determine the severity of the violation and the required plan of action to be taken to minimise the risk and reduce the potential impact of the incident. The incident should be reviewed, and a thorough risk assessment should be performed and reported. The importance of reporting breaches, what constitutes a HIPAA breach, and measures to tackle the situation should be covered in the covered entity's employee HIPAA training program and must be accordingly implemented in an incident. 

Company-wide Measures 
Covered entities must keep a detailed record of all HIPAA breaches, including reports of the risk assessment and measures taken in response to the breach. The necessary breach information must be passed on to the relevant staff, customers, and stakeholders affected by the breach. Thereafter necessary security measures should be implemented to fix the gaps and loopholes that resulted in the breach. 

Conclusion 

More than often the HIPAA violations in the healthcare industry is an incident of unintentional violation of the regulation. Although there are exceptions in the Breach Notification rules yet unfortunately most of the violation happens due to mishandling of the PHI data which does not fall under the exception case.

Healthcare organisations need to implement strong and tight security measures including all the parameters of unintentional HIPAA violations to ensure the gaps are fixed appropriately. Without stringent measures and processes in place, the organisation will have to face penalties for HIPAA violations and the consequences of the data breach. In short, organisations will have to cover their bases to ensure they are running a secure and HIPAA-compliant working environment in all aspects of healthcare operations and processes.  

Narendra Sahoo is the Founder and Director of VISTA InfoSec

You Might Also Read: 

How To Prevent Healthcare Data Breaches:

 

« Best Practices For Cyber Security Awareness Training
General Motors Hack Exposes Car Owner Information »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Black Hat Briefings

Black Hat Briefings

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world.

Cyren

Cyren

Cyren is a cloud-based, Internet security technology company providing threat detection and security analytics.

SolarWinds

SolarWinds

SolarWinds as a worldwide leader in solutions for network and IT service management, application performance, and managed services.

DataCore Software

DataCore Software

DataCore Software is a leader in Software-Defined Storage. Solutions offered include back up and disaster recovery.

ISF Annual World Congress

ISF Annual World Congress

ISF Annual World Congress, our flagship global event, offers attendees an opportunity to discuss and find solutions to current security challenges.

Exabeam

Exabeam

Exabeam provides security intelligence and management solutions to help organizations of any size protect their most valuable information.

Norton

Norton

NortonLifeLock is dedicated to helping secure the devices, identities, online privacy, and home and family needs of approximately 50 million consumers.

Merlin Cyber

Merlin Cyber

Merlin is a premier cybersecurity platform that leverages security technologies, trusted relationships, and capital to develop and deliver groundbreaking security solutions.

Brainloop

Brainloop

Brainloop's security architecture enables you to work on and distribute strictly confidential documents both within and beyond the firewall.

Quantea

Quantea

Our multi-patented solutions - QP Series Network Analytics Accelerator appliance and PureInsight Analytics Software Suite allows you to capture, analyze, store, replay, network traffic data.

BotGuard

BotGuard

BotGuard provides a service to protect your website from malicious bots, crawlers, scrapers, and hacker attacks.

Scholarly Networks Security Initiative (SNSI)

Scholarly Networks Security Initiative (SNSI)

SNSI brings together publishers and institutions to solve cyber-challenges threatening the integrity of the scientific record, scholarly systems and the safety of personal data.

Vircom

Vircom

With a large majority of cyber attacks starting with email, Vircom provides protection against the worst email security threats to your business.

Ermes

Ermes

Ermes – Intelligent Web Protection provides companies with a solution that effectively secures them against web threats.

Cranium

Cranium

Cranium are an international consultancy organisation specialised in privacy, security and data management.

SecurityStudio

SecurityStudio

SecurityStudio is a continuous cybersecurity risk management platform that allows decision-makers to quickly identify the most immediate threats and make confident risk informed decisions.