Every healthcare organization wants to avoid violating regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). According to HIPAA, only staff involved in patient care, healthcare billing, and other critical processes should have access to patient health information (PHI). Additionally, these people should only have minimal access to private data. In other instances requiring the use and disclosure of PHI, patients’ permission must be obtained in advance.
Healthcare practices and their business associates must therefore perform their roles while adhering to HIPAA rules to avoid paying fines and facing other consequences. But good intentions don’t always translate to good results. Covered organizations may still commit violations, whether intentionally or unintentionally.
What Qualifies as an Unintentional HIPAA Violation?
HIPAA’S Breach Notification Rule requires covered organizations and their business associates to notify patients in case their PHI is impermissibly disclosed or used. However, not all impermissible disclosure or use of PHI qualifies as a reportable breach.
The responsibility falls on the organization’s data privacy officers to assess the nature of the incident. They must investigate whether the accidental release of PHI should be reported to the Department of Health and Human Services of the Office of Civil Rights (OCR), and they must do so within the prescribed period. Note that not all breach incidents should be reported to the OCR, for example:
- PHI Was Accidentally Disclosed
This refers to scenarios where an authorized person or business associate inadvertently discloses PHI to another authorized person or business associate. Such incidents may occur even if a healthcare practice has guidelines that prohibit sharing or oversharing PHI.
A physician or nurse who does not set a screensaver on their computers may accidentally expose patient data to unauthorized staff in cases where they might leave their workstation and a person from a different department passes by and sees the data on-screen. Another scenario involves nurses forgetting that they’re not allowed to mention names when talking about patients.
These accidental disclosures do not automatically constitute a breach. That said, organizations must have measures in place to prevent such close-call breaches. These may include rules on computer use and maintaining patient confidentiality when in work areas.
- PHI Was Unintentionally Acquired
This refers to cases where an authorized employee acquires patient information that they’re not supposed to access. This typically occurs when a patient sets a follow-up doctor’s appointment. When scheduling a follow-up appointment, the authorized employee may type in the wrong patient name in the electronic medical record (EMR) system — eg, typing in “John Doe” and clicking on the records of a patient named “John Doe, Junior.”
In this case, the staff who accesses the incorrect record is authorized to access the EMR system and view patients’ records. Therefore, this doesn’t automatically constitute a violation because accessing the PHI was made in good faith and within the scope of authority.
- PHI Was Sent to the Wrong Recipient
This refers to situations where a covered organization or business associate has faith that the unauthorized person or organization who mistakenly receives PHI would not have been able to retain the information.
An example of this is when a physician refers a patient to a specialist and emails the patient’s details to the wrong specialist within the same hospital. If the unauthorized recipient confirms that the patient’s info went straight to junk and then deleted, then that potential breach may be considered averted.
Examples of Unintentional HIPAA Violations
Ultimately, HIPAA violations may still occur for various reasons, due to staff’s lack of knowledge or simply because some people aren’t aware that they’re committing a violation. Here are examples of unintentional HIPAA violations where the lack of guidelines on patient data protection and workplace etiquette could prove detrimental.
Posting on Social Media
Healthcare providers operate within an environment that places importance on data privacy. This is why those who post seemingly harmless thoughts about their job on social media may be penalized (including the healthcare practice they work for) without them knowing that they’re violating HIPAA rules. For example, a nurse sharing an anecdote about an unnamed patient on Facebook or other social media platforms may be considered a breach of patient privacy.
Denying Access to Medical Records
Not all HIPAA violations involve leaking confidential information. Some hospitals may deny patients access to their own medical records for various reasons, which may count as a HIPAA violation. Hospitals that not only refuse to give patients their medical records but charge an exorbitant fee for them may be subject to investigation and various penalties.
Using a Personal Device to Access PHI
Implementing a Bring Your Own Device (BYOD) policy in the workplace has many proven benefits, such as increased mobility and productivity. But in healthcare practices, a BYOD policy can result in reportable breaches. Physicians and/or other medical staff who use their own device to access PHI are especially prone to this violation because their devices may not be properly secured (i.e., encrypted) and could get lost or stolen.
Charles IT helps businesses avoid costly fines as a result of HIPAA violations. Let our HIPAA Compliance experts handle the complex tasks of managing EMR systems and ensuring they’re consistently HIPAA-compliant. Schedule a HIPAA assessment today.
Editor's Note: This blog was originally published on April 12, 2021 and was edited on June 28, 2023 for accuracy.