Accidents or mistakes are bound to happen. Even if healthcare providers and business associates are compliant to HIPAA Standards, there is always a possibility of unintentional or accidental disclosure of Protected Health Information (PHI). Accidental disclosure of PHI includes sending an email to the wrong recipient and an employee accidentally viewing a patient’s report, which leads to an unintentional HIPAA violation.

In this article, we will cover how healthcare providers, employees and business associates should respond in the event of an accidental PHI disclosure.

How should employees respond to an unintended HIPAA violation?

Despite every precaution taken, accidents can and do still happen. In the event that an unauthorized employee gets access to a patient record, sends an email or fax to the wrong recipient or produces any other form of accidental disclosure of PHI, they must make sure that the event is reported to the concerned authority immediately.

It’s then point that the authority’s Privacy Officer can analyze the incident and suggest corrective measures/relevant procedures to reduce the potential damage. Incidents should be investigated, and risk assessments should be carried out. Further, the Department of Health and Human Services’ Office for Civil Rights (OCR) should receive a report about the incident that includes an account of what happened from the party involved.

Moreover, they should identify the relevant patient records which were disclosed. Failure to report such a breach could result in a more serious security incident as well as disciplinary action against both the employee and the employer.

How should covered entities respond to an unintended HIPAA violation?

Accidental HIPAA violations should be taken seriously and necessitate risk assessments that evaluate the level of compromise. The risk assessment should help to determine the following:

  • The nature of the breach,
  • The potential risk involved due to the breach,
  • (Read more...)