Responding To An Unintentional HIPAA Violation

Healthcare organisations face numerous challenges protecting patient data, not least compliance with stringent US regulations.

The Healthcare Insurance Portability and Accountability Act (HIPPA) is a US law established to protect sensitive Patient Health Information (PHI) or data. Based on the regulation enforced the healthcare industry including the covered entities, business associates, and healthcare employees is required to focus and prioritise on maintaining the security and privacy of PHI data.

They need to take extra care and ensure that the HIPAA Rules are followed and prevent even the slightest possibility of accidental HIPAA violation.

Further, to set the record straight no accidental or unintentional HIPAA violations are exempted from fines and penalties. So, in case a healthcare employee accidentally views records of a patient or sends the patient’s report to the wrong person or some other kind of accidental disclosure of PHI, then it is essential as per the regulation that the incident is reported to the Privacy Officer and necessary measures are taken to respond to such situations.

Covering more on this in detail, we have in the article shared a few tips on ways to respond to unintentional HIPAA violations. But before that let us first, understand what is considered an unintentional HIPAA Violation. 

What Is Unintentional HIPAA Violation?

Accidental or unintentional disclosure of PHI data can result in HIPAA violations. This can further result in hefty fines and penalties. So, it is important that the covered entities or business associates are aware of what constitutes unintentional HIPAA Violation and establish preventive measures for the same. Also, the organization must be capable enough to respond to such incidents in case of violation. But before getting into the details of responding to an unintentional HIPAA Violation let us first learn what constitutes an unintentional HIPAA Violation. 

Inadvertent Disclosure or Acquisition of Data

For instance, an employee accidentally disclosing the PHI data by sending an email containing the information to the wrong employee is a classic case of Inadvertent Disclosure of PHI data. Sharing the medical information of a patient to another authorised employee or individual having permission to receive it, but by mistake receiving information of different patient’s results in inadvertent disclosure. Such information disclosure leads to a violation of HIPAA Regulations. However, the level of severity of the violation depends on the nature of Unintentional Access and/or Acquisition of Data. For instance, if such disclosure or access, is within the scope of authority for example an email containing ePHI was by mistake shared with a staff member. In this scenario, the error can be quickly rectified by securely destroying or getting the email deleted with no further disclosure of ePHI that could possibly limit the consequences.

Unintentional Access 

Unintentional access to data is somewhat similar to a situation of inadvertent disclosure. So, for instance, an employee has to a co-worker's desktop or laptop and when searching for a file accidentally opening another file for which he has no authorization or permit is an instance of unintentional access to sensitive data and HIPAA Violation. However, since the access was unintentional and no data was shared such violation can be contained and limit the consequences or impact of HIPAA Violation. But since it was viewed by an unauthorized person necessary steps should be taken to ensure that such unintentional access does not lead to any further breach of data. 

Employee Negligence 

Employee negligence is one of the most common human errors that result in HIPAA violations and data breaches. Employee negligence is a broad term when we speak of violation. This could be in terms of setting weak passwords or not changing default passwords to devices comprising sensitive data that can result in a hack or breach. This could even be in the case of an employee speaking to another co-worker about a patient’s case and revealing certain data or unintentionally sharing links or files comprising sensitive data. Such scenarios are often seen as common human errors that result in major HIPAA violations. 

Good Faith Belief 

As mentioned in the earlier example an employee in good faith sharing details of a patient to an unauthorized person who is not permitted to such disclosure or access of information also results in a violation of HIPAA. So, although this comes under the category of violation yet such instances do not need any breach notification. However, such incidents must be known to the organisation's appointed HIPAA Officer. The officer accordingly assesses the incident and determines whether or not they need any measures or a course of action. 

In other instances when there is a violation of HIPAA and breach of data, the incident must be reported to not just the appointed officer within the organisation but also to the Office for Civil Rights (OCR) within 60 days of the data breach discovery. Further, individuals affected due to the breach must also be notified about the breach without any unreasonable delay within 60 days of the data breach discovery. 

How to respond to HIPAA Violation? 

As mentioned earlier, in case of a data breach and HIPAA Violation, based on the severity of the incident the privacy officer must determine the plan of action to be taken to mitigate risk and reduce the potential for harm. As a first step toward responding to HIPAA violation, the officer will need to investigate the incident in terms of the risk exposure, and impact of the breach and report the breach to the Department of Health and Human Services’ Office for Civil Rights (OCR). The report should include details of how the incident occurred, the number of people affected or possibly affected measures taken to limit the impact, etc. Failure to report the breach promptly can result in disciplinary action and potentially also result in high penalties for your employer.

Reporting to the Covered Entity 
HIPAA Rules require that any accidental HIPAA violations and data breaches be reported to the covered entity as early as possible or at least within 60 days of discovery without unnecessarily delay. Business Associates should give their covered entity all the details about the accidental HIPAA violation or breach along with necessary measures taken to mitigate the breach. Based on this report the covered entity can accordingly take the best course of action.

Measures to be taken by Covered Entity 
Although it turns out to be an unintentional HIPAA Violation, yet informing the officer is essential. This is to determine the severity of the violation and the required plan of action to be taken to minimise the risk and reduce the potential impact of the incident. The incident should be reviewed, and a thorough risk assessment should be performed and reported. The importance of reporting breaches, what constitutes a HIPAA breach, and measures to tackle the situation should be covered in the covered entity's employee HIPAA training program and must be accordingly implemented in an incident. 

Company-wide Measures 
Covered entities must keep a detailed record of all HIPAA breaches, including reports of the risk assessment and measures taken in response to the breach. The necessary breach information must be passed on to the relevant staff, customers, and stakeholders affected by the breach. Thereafter necessary security measures should be implemented to fix the gaps and loopholes that resulted in the breach. 

Conclusion 

More than often the HIPAA violations in the healthcare industry is an incident of unintentional violation of the regulation. Although there are exceptions in the Breach Notification rules yet unfortunately most of the violation happens due to mishandling of the PHI data which does not fall under the exception case.

Healthcare organisations need to implement strong and tight security measures including all the parameters of unintentional HIPAA violations to ensure the gaps are fixed appropriately. Without stringent measures and processes in place, the organisation will have to face penalties for HIPAA violations and the consequences of the data breach. In short, organisations will have to cover their bases to ensure they are running a secure and HIPAA-compliant working environment in all aspects of healthcare operations and processes.  

Narendra Sahoo is the Founder and Director of VISTA InfoSec

You Might Also Read: 

How To Prevent Healthcare Data Breaches:

 

« Best Practices For Cyber Security Awareness Training
General Motors Hack Exposes Car Owner Information »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

HDI

HDI

HDI is the worldwide professional association and certification body for the technical service and support industry.

Center for Internet Security (CIS)

Center for Internet Security (CIS)

CIS is a nonprofit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.

Backup112

Backup112

Backup112 has been delivering professional cloud backup services since 2004.

Radiflow

Radiflow

Radiflow is a leading provider of cyber security solutions for critical infrastructure networks (i.e. SCADA), such as power utilities, oil & gas, water and others.

IQ Solutions

IQ Solutions

IQ Solutions is a Digital Integrator and an ICT Services Provider, focusing on innovative Cyber Secured ICT managed solutions tailored to the needs of the Maritime Industry.

Database Cyber Security Guard

Database Cyber Security Guard

Database Cyber Security Guard (aka Don't Be Breached) informs Security Professionals and DBAs of Zero Day, Ransomware and Data Breach attacks within milli-seconds

Intelligent Business Solutions Cyprus (IBSCY)

Intelligent Business Solutions Cyprus (IBSCY)

IBSCY Ltd is a leading provider of total IT solutions and services in Cyprus specializing in the areas of cloud services and applications, systems integration, IT infrastructure and security.

BELAC

BELAC

BELAC is the national accreditation body for Belgium.

Axxum Technologies

Axxum Technologies

Axxum Technologies is a premier provider of Network Communications and Information Technology Security Solutions.

SecureStack

SecureStack

SecureStack helps software developers find security & scalability gaps in their web applications and offers ways to fix those gaps without forcing those developers to become security experts.

Immuta

Immuta

Immuta empowers data engineering and operations teams to automate data governance, security, access control & privacy protection.

Nineteen Group

Nineteen Group

Nineteen Group delivers major-scale exhibitions within the security, fire, emergency services, health and safety, facilities management and maintenance engineering sectors.

SNC-Lavalin

SNC-Lavalin

SNC-Lavalin is a fully integrated professional services and project management company with offices around the world.

Velum Labs

Velum Labs

Velum Labs is a cyber intelligence company that provides simple and non-intrusive, cloud and cyber intelligence solutions; built from a market-leading understanding of cyber-attack methodology.

inSOC

inSOC

inSOC is an enterprise-grade AI-driven SOCaaS solution detecting breaches 24/7 with vulnerability management built-in. Designed for MSPs and MSSPs.

GrayHats

GrayHats

GrayHats is a platform-based cybersecurity company devoted to delivering comprehensive, scalable, and proactive protection for businesses in an ever-evolving threat landscape.