Responding To An Unintentional HIPAA Violation

Healthcare organisations face numerous challenges protecting patient data, not least compliance with stringent US regulations.

The Healthcare Insurance Portability and Accountability Act (HIPPA) is a US law established to protect sensitive Patient Health Information (PHI) or data. Based on the regulation enforced the healthcare industry including the covered entities, business associates, and healthcare employees is required to focus and prioritise on maintaining the security and privacy of PHI data.

They need to take extra care and ensure that the HIPAA Rules are followed and prevent even the slightest possibility of accidental HIPAA violation.

Further, to set the record straight no accidental or unintentional HIPAA violations are exempted from fines and penalties. So, in case a healthcare employee accidentally views records of a patient or sends the patient’s report to the wrong person or some other kind of accidental disclosure of PHI, then it is essential as per the regulation that the incident is reported to the Privacy Officer and necessary measures are taken to respond to such situations.

Covering more on this in detail, we have in the article shared a few tips on ways to respond to unintentional HIPAA violations. But before that let us first, understand what is considered an unintentional HIPAA Violation. 

What Is Unintentional HIPAA Violation?

Accidental or unintentional disclosure of PHI data can result in HIPAA violations. This can further result in hefty fines and penalties. So, it is important that the covered entities or business associates are aware of what constitutes unintentional HIPAA Violation and establish preventive measures for the same. Also, the organization must be capable enough to respond to such incidents in case of violation. But before getting into the details of responding to an unintentional HIPAA Violation let us first learn what constitutes an unintentional HIPAA Violation. 

Inadvertent Disclosure or Acquisition of Data

For instance, an employee accidentally disclosing the PHI data by sending an email containing the information to the wrong employee is a classic case of Inadvertent Disclosure of PHI data. Sharing the medical information of a patient to another authorised employee or individual having permission to receive it, but by mistake receiving information of different patient’s results in inadvertent disclosure. Such information disclosure leads to a violation of HIPAA Regulations. However, the level of severity of the violation depends on the nature of Unintentional Access and/or Acquisition of Data. For instance, if such disclosure or access, is within the scope of authority for example an email containing ePHI was by mistake shared with a staff member. In this scenario, the error can be quickly rectified by securely destroying or getting the email deleted with no further disclosure of ePHI that could possibly limit the consequences.

Unintentional Access 

Unintentional access to data is somewhat similar to a situation of inadvertent disclosure. So, for instance, an employee has to a co-worker's desktop or laptop and when searching for a file accidentally opening another file for which he has no authorization or permit is an instance of unintentional access to sensitive data and HIPAA Violation. However, since the access was unintentional and no data was shared such violation can be contained and limit the consequences or impact of HIPAA Violation. But since it was viewed by an unauthorized person necessary steps should be taken to ensure that such unintentional access does not lead to any further breach of data. 

Employee Negligence 

Employee negligence is one of the most common human errors that result in HIPAA violations and data breaches. Employee negligence is a broad term when we speak of violation. This could be in terms of setting weak passwords or not changing default passwords to devices comprising sensitive data that can result in a hack or breach. This could even be in the case of an employee speaking to another co-worker about a patient’s case and revealing certain data or unintentionally sharing links or files comprising sensitive data. Such scenarios are often seen as common human errors that result in major HIPAA violations. 

Good Faith Belief 

As mentioned in the earlier example an employee in good faith sharing details of a patient to an unauthorized person who is not permitted to such disclosure or access of information also results in a violation of HIPAA. So, although this comes under the category of violation yet such instances do not need any breach notification. However, such incidents must be known to the organisation's appointed HIPAA Officer. The officer accordingly assesses the incident and determines whether or not they need any measures or a course of action. 

In other instances when there is a violation of HIPAA and breach of data, the incident must be reported to not just the appointed officer within the organisation but also to the Office for Civil Rights (OCR) within 60 days of the data breach discovery. Further, individuals affected due to the breach must also be notified about the breach without any unreasonable delay within 60 days of the data breach discovery. 

How to respond to HIPAA Violation? 

As mentioned earlier, in case of a data breach and HIPAA Violation, based on the severity of the incident the privacy officer must determine the plan of action to be taken to mitigate risk and reduce the potential for harm. As a first step toward responding to HIPAA violation, the officer will need to investigate the incident in terms of the risk exposure, and impact of the breach and report the breach to the Department of Health and Human Services’ Office for Civil Rights (OCR). The report should include details of how the incident occurred, the number of people affected or possibly affected measures taken to limit the impact, etc. Failure to report the breach promptly can result in disciplinary action and potentially also result in high penalties for your employer.

Reporting to the Covered Entity 
HIPAA Rules require that any accidental HIPAA violations and data breaches be reported to the covered entity as early as possible or at least within 60 days of discovery without unnecessarily delay. Business Associates should give their covered entity all the details about the accidental HIPAA violation or breach along with necessary measures taken to mitigate the breach. Based on this report the covered entity can accordingly take the best course of action.

Measures to be taken by Covered Entity 
Although it turns out to be an unintentional HIPAA Violation, yet informing the officer is essential. This is to determine the severity of the violation and the required plan of action to be taken to minimise the risk and reduce the potential impact of the incident. The incident should be reviewed, and a thorough risk assessment should be performed and reported. The importance of reporting breaches, what constitutes a HIPAA breach, and measures to tackle the situation should be covered in the covered entity's employee HIPAA training program and must be accordingly implemented in an incident. 

Company-wide Measures 
Covered entities must keep a detailed record of all HIPAA breaches, including reports of the risk assessment and measures taken in response to the breach. The necessary breach information must be passed on to the relevant staff, customers, and stakeholders affected by the breach. Thereafter necessary security measures should be implemented to fix the gaps and loopholes that resulted in the breach. 

Conclusion 

More than often the HIPAA violations in the healthcare industry is an incident of unintentional violation of the regulation. Although there are exceptions in the Breach Notification rules yet unfortunately most of the violation happens due to mishandling of the PHI data which does not fall under the exception case.

Healthcare organisations need to implement strong and tight security measures including all the parameters of unintentional HIPAA violations to ensure the gaps are fixed appropriately. Without stringent measures and processes in place, the organisation will have to face penalties for HIPAA violations and the consequences of the data breach. In short, organisations will have to cover their bases to ensure they are running a secure and HIPAA-compliant working environment in all aspects of healthcare operations and processes.  

Narendra Sahoo is the Founder and Director of VISTA InfoSec

You Might Also Read: 

How To Prevent Healthcare Data Breaches:

 

« Best Practices For Cyber Security Awareness Training
General Motors Hack Exposes Car Owner Information »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

OPSWAT

OPSWAT

OPSWAT is a software company that provides solutions to secure and manage IT infrastructure.

Israel Aerospace Industries (IAI)

Israel Aerospace Industries (IAI)

IAI offers a holistic approach that provides defense forces, governments, critical infrastructures and large enterprises with end-to-end cyber security & monitoring tools.

Acalvio Technologies

Acalvio Technologies

Acalvio provides Advanced Threat Defense (ATD) solutions to detect, engage and respond to malicious activity inside the perimeter.

AAROH

AAROH

AAROH helps customers in Government, Law Enforcement, and Enterprises to identify, prevent, detect, resolve and protect from threats, crimes, breaches & fraud.

Barbara IoT

Barbara IoT

Barbara is an industrial device platform specifically designed for IoT deployments.

UNIDIR Cyber Policy Portal

UNIDIR Cyber Policy Portal

The UNIDIR Cyber Policy Portal is an online reference tool that maps the cybersecurity and cybersecurity-related policy landscape.

ePlus

ePlus

ePlus designs and delivers effective, integrated cybersecurity programs centered on culture and technology, aimed at mitigating business risk and empowering digital transformation.

Accel

Accel

Accel is a leading venture capital firm that invests in people and their companies from the earliest days through all phases of private company growth. Areas of focus include cybersecurity.

Cyber Command - Estonian Defence Forces

Cyber Command - Estonian Defence Forces

The main mission of the Cyber Command is to carry out operations in cyberspace in order to provide command support for Ministry of Defence’s area of responsibility.

Digitpol

Digitpol

Digitpol’s Cyber Crime Investigation experts investigate hacking incidents, ransomware, extortion and conduct security audits and IT upgrades.

TheGreenBow

TheGreenBow

TheGreenBow is a trusted VPN software company. We help organizations and individuals become cyber-responsible. For this, we design and develop reliable and easy-to-use solutions.

iManage

iManage

iManage's intelligent, cloud-enabled, secure knowledge work platform enables organizations to uncover and activate the knowledge that exists inside their business.

NorthStar

NorthStar

NorthStar provide the visibility needed to track and reduce risk through risk-based vulnerability management and vulnerability exploit prediction.

Avalon Cyber

Avalon Cyber

Arm your organization in the fight against cyberattacks by partnering with the experts at Avalon Cyber.

CI-ISAC Australia

CI-ISAC Australia

CI-ISAC has been designed to support and promote existing legislation and Government initiatives that are working to uplift cyber resilience across critical infrastructure sectors.

Astran

Astran

At Astran, we revolutionize data security by introducing a groundbreaking solution for data confidentiality headaches.