Responding To An Unintentional HIPAA Violation

Uploaded on 2022-05-30 in FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-Health & Welfare

Healthcare organisations face numerous challenges protecting patient data, not least compliance with stringent US regulations.

The Healthcare Insurance Portability and Accountability Act (HIPPA) is a US law established to protect sensitive Patient Health Information (PHI) or data. Based on the regulation enforced the healthcare industry including the covered entities, business associates, and healthcare employees is required to focus and prioritise on maintaining the security and privacy of PHI data.

They need to take extra care and ensure that the HIPAA Rules are followed and prevent even the slightest possibility of accidental HIPAA violation.

Further, to set the record straight no accidental or unintentional HIPAA violations are exempted from fines and penalties. So, in case a healthcare employee accidentally views records of a patient or sends the patient’s report to the wrong person or some other kind of accidental disclosure of PHI, then it is essential as per the regulation that the incident is reported to the Privacy Officer and necessary measures are taken to respond to such situations.

Covering more on this in detail, we have in the article shared a few tips on ways to respond to unintentional HIPAA violations. But before that let us first, understand what is considered an unintentional HIPAA Violation. 

What Is Unintentional HIPAA Violation?

Accidental or unintentional disclosure of PHI data can result in HIPAA violations. This can further result in hefty fines and penalties. So, it is important that the covered entities or business associates are aware of what constitutes unintentional HIPAA Violation and establish preventive measures for the same. Also, the organization must be capable enough to respond to such incidents in case of violation. But before getting into the details of responding to an unintentional HIPAA Violation let us first learn what constitutes an unintentional HIPAA Violation. 

Inadvertent Disclosure or Acquisition of Data

For instance, an employee accidentally disclosing the PHI data by sending an email containing the information to the wrong employee is a classic case of Inadvertent Disclosure of PHI data. Sharing the medical information of a patient to another authorised employee or individual having permission to receive it, but by mistake receiving information of different patient’s results in inadvertent disclosure. Such information disclosure leads to a violation of HIPAA Regulations. However, the level of severity of the violation depends on the nature of Unintentional Access and/or Acquisition of Data. For instance, if such disclosure or access, is within the scope of authority for example an email containing ePHI was by mistake shared with a staff member. In this scenario, the error can be quickly rectified by securely destroying or getting the email deleted with no further disclosure of ePHI that could possibly limit the consequences.

Unintentional Access 

Unintentional access to data is somewhat similar to a situation of inadvertent disclosure. So, for instance, an employee has to a co-worker's desktop or laptop and when searching for a file accidentally opening another file for which he has no authorization or permit is an instance of unintentional access to sensitive data and HIPAA Violation. However, since the access was unintentional and no data was shared such violation can be contained and limit the consequences or impact of HIPAA Violation. But since it was viewed by an unauthorized person necessary steps should be taken to ensure that such unintentional access does not lead to any further breach of data. 

Employee Negligence 

Employee negligence is one of the most common human errors that result in HIPAA violations and data breaches. Employee negligence is a broad term when we speak of violation. This could be in terms of setting weak passwords or not changing default passwords to devices comprising sensitive data that can result in a hack or breach. This could even be in the case of an employee speaking to another co-worker about a patient’s case and revealing certain data or unintentionally sharing links or files comprising sensitive data. Such scenarios are often seen as common human errors that result in major HIPAA violations. 

Good Faith Belief 

As mentioned in the earlier example an employee in good faith sharing details of a patient to an unauthorized person who is not permitted to such disclosure or access of information also results in a violation of HIPAA. So, although this comes under the category of violation yet such instances do not need any breach notification. However, such incidents must be known to the organisation's appointed HIPAA Officer. The officer accordingly assesses the incident and determines whether or not they need any measures or a course of action. 

In other instances when there is a violation of HIPAA and breach of data, the incident must be reported to not just the appointed officer within the organisation but also to the Office for Civil Rights (OCR) within 60 days of the data breach discovery. Further, individuals affected due to the breach must also be notified about the breach without any unreasonable delay within 60 days of the data breach discovery. 

How to respond to HIPAA Violation? 

As mentioned earlier, in case of a data breach and HIPAA Violation, based on the severity of the incident the privacy officer must determine the plan of action to be taken to mitigate risk and reduce the potential for harm. As a first step toward responding to HIPAA violation, the officer will need to investigate the incident in terms of the risk exposure, and impact of the breach and report the breach to the Department of Health and Human Services’ Office for Civil Rights (OCR). The report should include details of how the incident occurred, the number of people affected or possibly affected measures taken to limit the impact, etc. Failure to report the breach promptly can result in disciplinary action and potentially also result in high penalties for your employer.

Reporting to the Covered Entity 
HIPAA Rules require that any accidental HIPAA violations and data breaches be reported to the covered entity as early as possible or at least within 60 days of discovery without unnecessarily delay. Business Associates should give their covered entity all the details about the accidental HIPAA violation or breach along with necessary measures taken to mitigate the breach. Based on this report the covered entity can accordingly take the best course of action.

Measures to be taken by Covered Entity 
Although it turns out to be an unintentional HIPAA Violation, yet informing the officer is essential. This is to determine the severity of the violation and the required plan of action to be taken to minimise the risk and reduce the potential impact of the incident. The incident should be reviewed, and a thorough risk assessment should be performed and reported. The importance of reporting breaches, what constitutes a HIPAA breach, and measures to tackle the situation should be covered in the covered entity's employee HIPAA training program and must be accordingly implemented in an incident. 

Company-wide Measures 
Covered entities must keep a detailed record of all HIPAA breaches, including reports of the risk assessment and measures taken in response to the breach. The necessary breach information must be passed on to the relevant staff, customers, and stakeholders affected by the breach. Thereafter necessary security measures should be implemented to fix the gaps and loopholes that resulted in the breach. 

Conclusion 

More than often the HIPAA violations in the healthcare industry is an incident of unintentional violation of the regulation. Although there are exceptions in the Breach Notification rules yet unfortunately most of the violation happens due to mishandling of the PHI data which does not fall under the exception case.

Healthcare organisations need to implement strong and tight security measures including all the parameters of unintentional HIPAA violations to ensure the gaps are fixed appropriately. Without stringent measures and processes in place, the organisation will have to face penalties for HIPAA violations and the consequences of the data breach. In short, organisations will have to cover their bases to ensure they are running a secure and HIPAA-compliant working environment in all aspects of healthcare operations and processes.  

Narendra Sahoo is the Founder and Director of VISTA InfoSec

You Might Also Read: 

How To Prevent Healthcare Data Breaches:

 

« Best Practices For Cyber Security Awareness Training
General Motors Hack Exposes Car Owner Information »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Help Net Security

Help Net Security

Help Net Security has been a prime resource for information security news and insight since 1998.

Atlantic Council

Atlantic Council

The Atlantic Council's Cyber Statecraft Initiative focuses on international cooperation, competition, and conflict in cyberspace.

Trustwave

Trustwave

Trustwave is a leader in managed detection and response (MDR), managed security services (MSS), consulting and professional services, database security, and email security.

NXP Semiconductors

NXP Semiconductors

NXP is a world leader in secure connectivity solutions for embedded applications and the Internet of Things.

Avast Software

Avast Software

Avast Software is a security software company that develops antivirus software and internet security services.

Cask Government Services

Cask Government Services

Cask Government Services focuses on program management, cybersecurity, logistics, business analysis and engineering services for Federal, State and Local Government.

TypingDNA

TypingDNA

TypingDNA uses AI to recognise people by the way they type on desktop keyboards and mobile devices.

Deceptive Bytes

Deceptive Bytes

Deceptive Bytes provides an Active Endpoint Deception platform that dynamically responds to attacks as they evolve and changes their outcome.

Bio-Morphis

Bio-Morphis

Bio-Morphis Reflex solution is a paradigm shift in the approach to information systems security.

Gorodissky IP Security

Gorodissky IP Security

Gorodissky IP Security is a comprehensive approach to protecting your intellectual property on the Internet and beyond.

Adit Ventures

Adit Ventures

Adit Ventures is a venture capital firm with a focus on dynamic growth sectors including AI & Machine Learning, Big Data, Cybersecurity and IoT.

Alacrinet

Alacrinet

Alacrinet is an IT and cyber security consultancy. From penetration testing to fully managed MSSP, our team is focused on knowing the latest threats, preventing vulnerabilities, and providing value.

Cyrebro

Cyrebro

CYREBRO is your online cybersecurity central command managed SOC that integrates all your security events with strategic monitoring, proactive threat intelligence, and rapid incident response.

Digitale Gründerinitiative Oberpfalz (DGO)

Digitale Gründerinitiative Oberpfalz (DGO)

Digital Founder Initiative Oberpfalz's goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

Jitsuin

Jitsuin

Jitsuin enables developers with tools and services to build verifiable digital trust between organizations.

CDS

CDS

CDS is a strategic change agency enabling organisations and businesses to create and build better services to meet the evolving needs of customers, employees and citizens.