An unintentional HIPAA violation can happen to any organization. No matter how careful or HIPAA compliant your organization is, it is possible for employees or business associates to cause HIPAA violations accidentally. However, knowing the most common accidental violations can help covered entities to minimize them.
- Reporting Workplace HIPAA Violations
- Examples of HIPAA compliance violation That Do Not Need Reporting
- Examples of Unintentional Violations That Need Reporting
- HIPAA violation by Employer – Hacking by Unauthorized Entities
Reporting Workplace HIPAA Violations
Unintentional or accidental HIPAA violations fall into two categories. The first category is those violations that do not need reporting to the Office for Civil Rights (OCR). The second category of violation is one that consists of violations that you must to the OCR.
Furthermore, for HIPAA violations that affect more than 500 patients, then you must report them within 60 days of their occurrence, without any unjustifiable delay. If the number of affected patients is less than 60 days, you can report the violations within 60 days of the end of the year.
In this article, you are going to discover examples of unintentional HIPAA violations.
5 Most Common Violations to the HIPAA Privacy Rule
Examples of HIPAA compliance violation That Do Not Need Reporting
Unintentional Violation by Authorized Persons
This can happen when an authorized person accesses or uses PHI in good faith, and within limits of their authority. In such a case, they only need to inform the covered entity’s Privacy Officer. However, the privacy officer does not need to report it to OCR.
This can happen when one employee sends ePHI to another employee and then realizes they sent it to the wrong email. What happens when two employees within the same organization share a similar email address.
This can happen during an email exchange between a health technician and a doctor. Essentially, the right information is sent to an intended authorized person.
The receiving member of staff opens the email and realizes the PHI wasn’t meant for them, they permanently delete it, and act on it no further. At that point, the sender should inform the Privacy Officer, who shall then act according to the covered entity’s HIPAA policies and regulations.
Unintentional Disclosure of PHI by Authorized Persons
Sometimes an authorized staff member can send the wrong PHI to an authorized person, without intending to do it. This can happen when for instance, and radiology technician sends the scan of another patient, instead of the one the doctor asked for.
In such a case, the doctor will open the PHI, realize it is the wrong information, and permanently delete it. They will then make another request for the right e-PHI from the technician. Just like before, the technician has to report this error to the covered entity’s Privacy Officer, for internal action.
Unintentional exposure of PHI
This can happen when an authorized member of staff exposes PHI to an unauthorized person and then realizing their error, they retrieve it. This can happen for instance a nurse places an X-ray scan in front of a visitor, in the doctor’s office.
It is unlikely that the visitor can retrieve the PHI within a few seconds of seeing the scan. However, the nurse has to report the violation to the covered entity’s Privacy Officer.
Examples of Unintentional Violations That Need Reporting
Emailing an Unauthorized Receivers
An authorized member of a covered entity can erroneously send ePHI to an unauthorized member of the staff of a covered entity’s associate. That happens easily when someone uses the auto-suggest feature of the emailing client when entering a receiver’s email address.
In such a case, the staff has to inform the Privacy Officer, who in turn must report it to the OCR within 60 days, or at the end of the year. Furthermore, the covered entity must inform the affected patients or individuals of the violation.
However, if there are more than 500 receivers, then as mentioned above, the report to the OCR must be ASAP, and within 60 days of its happening.
Examples of social media HIPAA violations
Commenting about a patient’s PHI on social media, even when the intention was not to share such information, is a HIPAA violation. For instance, in May 2017, Onslow Memorial Hospital in Jacksonville, NC, dismissed an employee aged 24 years, after she commented about a patient online.
The employee had directed the comment at an accident victim, whom she claimed did not have a seat belt ON, when the accident happened. The hospital did not see the comment as advice but as an example of HIPAA violations on Facebook. The hospital also reported the incident to OCR.
HIPAA violation by Employer – Hacking by Unauthorized Entities
This can happen if the servers hosting PHI information get hacked, and the covered entity has encrypted the PHI stored on those servers. The employer may not have authorized the hack. However, they still bear responsibility for not updating their technical capability to prevent hacking.
In such a case, they have to inform the OCR ASAP and within 60 days, if the hack affected over 500 patients. Furthermore, they need to inform the affected patients and do an audit to find out the extent of the violation.
Conclusion – Unintentional HIPAA Violations
HIPAA violations can result in emotional pain and financial losses on the part of the affected patient. With that in mind, it is important to be mindful of unintentional HIPAA violations and be proactive in preventing them. We hope you found this guide to be informative, and you will take the right to minimize HIPAA violations at work.