What to Do After a Potential HIPAA Violation
Wondering what to do after a potential HIPAA violation?
First, let’s consider some of the most common ways HIPAA violations happen.
Most common ways HIPAA violations happen
We tend to worry the most about HIPAA violations that result from bad actors.
For example, a hacker may get into your computer and download the data. Or a thief might steal your cell phone, which has unsecured protected health information about clients stored on it. Perhaps even a disgruntled staff member at your group practice could decide to CC all of your current clients on an email.
These things happen, and, of course, every health care practitioner should take meaningful steps to reduce risk, including using HIPAA-compliant practice management software with the latest security features.
However, all that said, most HIPAA violations actually aren’t the result of bad actors.
They’re the result of human error.
In other words, HIPAA violations are most often caused by common, well-intentioned mistakes.
For instance, a patient may authorize the release of PHI, but you accidentally email it to the wrong address. Or, you might not realize that you’ve connected to a telehealth session where someone else in your home can overhear on a Bluetooth-connected device.
What’s considered a HIPAA violation?
Regardless of whether a potential HIPAA violation was the result of an honest mistake or a bad actor, there are specific steps that you must take as soon as you discover the potential violation.
It may be tempting to sweep such an event under the rug and pretend that it never happened. But doing so only compounds the risk to you and your clients.
You can reduce this risk—and work quickly to restore trust—by determining what happened, and reporting violations when necessary.
The process starts with a four-part analysis of whether unsecured PHI has been compromised. To do this, look to the following considerations:
1. The nature of the information
What type of PHI has potentially been compromised?
Could it be used to re-identify clients?
Client or patient numbers, for example, represent PHI. However, if they aren’t accompanied by other potentially re-identifiable information—such as birth dates—patient numbers alone may not present high risk that the information could be tied back to specific patients. The more sensitive the information involved is, the greater the risk. (Note that if the only information breached was electronic PHI that was encrypted or otherwise unreadable, there is no need for reporting.)
2. Who received or accessed the information
If the information was sent to another health care professional, they also have familiarity with HIPAA and a legal obligation to protect PHI. On the other hand, someone who could use the information to exploit patients or otherwise further their own interests presents a much higher risk.
3. Whether the information has likely been viewed
If you accidentally hand someone a client file, and then realize your mistake and immediately have the person hand the file back, then the PHI likely hasn’t been viewed, and you likely wouldn’t need to report it. It can be much harder to determine whether electronic PHI has been viewed by the person who received it.
4. Whether there has been any risk mitigation
If the information was mistakenly emailed to the wrong person, did you get written assurance from the recipient that it would not be further distributed? If your phone or laptop was lost or stolen, were you able to immediately block access or wipe the device’s memory?
Examine these four factors to determine the likelihood of a breach, and the potential impact of that breach.
If you believe that there is a low probability that PHI has actually been compromised, you may choose not to report it.
However, you do have a responsibility to document how you reached that conclusion.
How to report a HIPAA violation
If you conclude that a breach has occurred (and to be clear, this should be your default position when PHI is lost, stolen, or improperly accessed, unless the review process above leads you convincingly to believe differently), there are additional steps you must take. Those steps depend in part on how many clients’ information has been compromised.
Step 1: Notifying clients of a HIPAA violation
Clients whose data may have been compromised must be notified individually, typically by phone or in writing, “without unreasonable delay,” and within 60 days of the discovery of the breach.
If the breach involves 10 or more clients for whom you have out-of-date or inaccurate contact information, you should post the notification on the homepage of your website for at least 90 days.
That notification must include a toll-free number clients can call for assistance in determining whether their data was involved in the breach.
Step 2: Notifying HHS of a HIPAA violation
The Department of Health and Human Services should be notified of the breach.
For breaches impacting fewer than 500 clients, you can notify HHS within the first 60 days of the next calendar year.
For breaches impacting more than 500 clients, HHS must be notified within 60 days of your discovery of the breach.
Check the HHS website directly for more information about breach reporting, as well as the breach notification forms you need to report.
Step 3: Notifying the media
For breaches impacting more than 500 clients, a media source that services the area where your clients live must also be notified about the nature and extent of the breach. This is to ensure any clients who don’t receive your individual notice for any reason also can be notified.
Practitioners are sometimes reluctant to report potential HIPAA violations out of fear that they’ll be punished. However, it’s relatively uncommon for these notifications to result in any actions from HHS, or for any clients to lodge complaints that may lead to actions from a licensing board. HHS, clients, and licensing boards usually all recognize that even with strong protections in place, mistakes sometimes happen.
Your diligence in responding to the discovery of a breach can go a long way in reinforcing goodwill, and preventing any action against you.
On the other hand, if you fail to report a breach and that’s later discovered by your clients or other authorities, they may infer that both the breach and your failure to report it were the result of irresponsibility or even bad trust—both of which can erode their trust more than reporting the breach in the first place.
Sending a HIPAA breach notification letter to clients
There are specific requirements when it comes to the content of the breach notification letter you send to clients.
For example, you must describe the nature of the breach, including the date it occurred and how you discovered it. Additionally, you must include specially what PHI may have been accessed, and detail the steps you’re taking in response. Finally, it’s essential to include free and accessible links where your clients can find more information.
To help make this process easier, use this HIPAA breach notification letter template that you can customize to your specific situation.
Data breaches can be frightening for professionals and clients alike. It’s often the response to a breach, rather than the existence of a breach, that says the most about you as a professional.
If you treat it as a learning experience, follow through on your reporting responsibilities, and take steps to reduce the risk of future breaches, you can effectively and professionally get through a difficult moment.
Stay secure with HIPAA-compliant client messaging
SimplePractice practice management software is an EHR system that includes HIPAA-compliant Secure Messaging that makes it easy to securely communicate with your clients and team members.
Try SimplePractice free for 30 days. No credit card required.
READ NEXT: The Key to HIPAA-Compliant Email for Therapists
Disclaimer: This article is for informational purposes only, and should not be considered legal or ethical advice. For specific guidance for your situation, consult with an attorney or your professional liability insurer.
More Stories
Stay inspired
Get the latest stories from your peers right to your inbox.