True to Life Examples of Unintentional HIPAA Violations

Believe it or not, the majority of HIPAA violations happen unintentionally.

There’s no need for statistics to validate the statement I just made. Instead, all you need to do is think about it.

Do you think most organizations or the employees working for them go out of their way to expose the sensitive data of their patients? The answer to that question for the majority of cases is no.

The reality is that healthcare organizations and their business associates want to do whatever they can to safeguard the protected health information (PHI) of their clients.

Of course, that doesn’t mean a breach due to malicious intent by an employee hasn’t happened before.

ExamplesofUnintentionalHIPAAViolations_1_820.png

We’ve seen examples of intentional violations that date all the way back to 2003 when Dr. Huping Zhou snooped into the medical records of four high-profile celebrities.

Not to mention a more recent breach we saw happen where a healthcare worker purposefully leak the medical information of someone who was dating her ex-boyfriend on social media

But if most violations are unintentional, why does the Department of Health and Human Services (HHS) dole out fines at all?

Well, it comes down to criteria spelled out within a section of the regulation.

The HIPAA Breach Notification Rule states that an impermissible use or disclosure of PHI is a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability of compromised PHI based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification

  2. The unauthorized person who used the protected health information or to whom made the disclosure

  3. Whether the protected health information was actually acquired or viewed

  4. The extent of mitigation on the risk of the protected health information

Luckily, this section also defines three exceptions to a breach. Let’s go over each exception and give clear examples of unintentional HIPAA violations based on them.

Table of Contents

Unintentional Acquisition

An unintentional acquisition is the first HIPAA violation exception.

In order to understand what this is, I’m going to explain an example situation of this exception occurring before giving the true definition.

Let’s say you, as the doctor, just got done with a routine appointment with one of your most loyal patients, Jack A. Smith.

Of course, after the appointment, your front office will…

ExamplesofUnintentionalHIPAAViolations_2_820.png

However, while accessing the hospital’s electronic medical record system (EMR) your employee accidentally enters the wrong middle initial. The result brings up the medical record for Jack B. Smith, a patient from a different department. The problem here is that your employee, although obviously authorized to view PHI, doesn’t have internal approval to view Jack B. Smith’s record.

Is this a breach?

Well, the access or use made by the employee in this example happened in good faith and within the scope of authority, which is the definition of the unintentional authorization exception.

Inadvertent Disclosure

At your healthcare organization, you have safeguards in place as a way to combat oversharing PHI. These safeguards include asking your employees to talk about patients without using their names and set screensaver times when computers aren’t in use.

Even with those rules in place, though, it’s still possible that one of your employees sees PHI they don’t have permission to view.

ExamplesofUnintentionalHIPAAViolations_3_820.png

Here’s another scenario that explains an unintentional HIPAA violation.

Like any business, you want your employees to build comradery together. After all, if your team builds strong, friendly relationships together they’re going to be happier when they come into work. Thus you’ll have a positive work culture. A positive environment for your employees leads to an increase in productivity by 13%.

One of the best ways to build a positive culture with your employees is to encourage them to take each other to lunch. Of course, in order to go to lunch, they have to see if there’s any interest. In other words, they’d have to walk to your office.

Let’s say that right before lunchtime you opened up the medical file of a patient who’s coming in for an appointment later that day. Since you’re their doctor, you have authorization to view their PHI.

Now, as a means to make your newest employee feel welcomed, you told them earlier that morning that you’d take them to lunch.

ExamplesofUnintentionalHIPAAViolations_4_820.png

Well, now that it’s lunchtime they’re headed to your office. Once they’re standing in your doorway they knock and you turn your chair around to chat with them before heading out.

The problem here is that once you turn your chair around, it exposes your computer’s screen. Naturally, your new coworker catches a glimpse of what you have open on it; the record of the patient that’s coming in later that day. This employee isn’t allowed to see this.

Luckily, this isn’t a breach and leads us into the second unintentional HIPAA violation exception. An inadvertent disclosure of PHI by a person who’s authorized to access that sensitive information to another person authorized to access PHI at the same organization. 

Good Faith Belief

If you’re a healthcare entity, you probably still have and actively use a fax machine at your office. That might seem startling to some readers considering that fax is widely believed to be a dead business practice.

But the reality is that fax is still very much thriving in 2020. In fact, business fax over 17 billion individual documents every year using this communication method. 

Faxing in healthcare is still commonplace because it’s an easy way to transfer patient information from one facility to another. It still requires the use of paper, which has some security shortcomings associated with it.

We know that your employees are your biggest risk for causing a breach, that’s why you host HIPAA training with them every year.

ExamplesofUnintentionalHIPAAViolations_5_820.png

So, let’s say you recommended to one of your clients that they visit a specialist. The specialist hasn’t ever seen this individual before so they need your organization to send them the client’s medical records.

As a result of the specialist’s request, one of your office staff members faxes over the patient’s record. A problem arises, though, when the specialist calls your office a couple of days later, still asking for you to fax over the information. There’s only one thing that could’ve happened, your staff member sent the patient’s PHI to the wrong fax number.

Luckily, a few hours after talking to the specialist on the phone, one of your business associates calls your office stating that they received your fax, realized it wasn’t for them and shredded it immediately. What a relief.

Crisis averted, right? Actually, yes. In this case, your organization avoided a breach.

The third exception to an unintentional HIPAA violation applies when a covered entity or business associate has a good faith belief that the unauthorized individual to whom the impermissible disclosure happened, would not have been able to retain the information.

Enforcable Unintentional HIPAA Violations

Unfortunately, if what happened at your organization doesn’t fit within any of the exceptions laid out by the Breach Notification Rule, you have an enforceable unintentional HIPAA violation on your hands. 

Thus, your organization garners unwanted attention from the Office of Civil Rights. This usually means an audit and potentially a fine.

But, just because a breach doesn’t fall under the expressed exceptions doesn’t mean you can’t define your own rules.

ExamplesofUnintentionalHIPAAViolations_6_820.png

HIPAA violations usually point fingers at one or two individuals, but they’re a systematic error. In other words, breaches give you insight as to where your biggest risks lie. In order to fix these errors within your organization, you’ll need to tighten your restrictions.

Maybe you’ve faced a series of fines as the result of your employees accidentally leaking PHI on social media. The solution for this to stop happening is to draft a social media policy.

You don’t want your employees to work carelessly while they’re on the clock. That leads to mistakes that you simply can’t afford within the healthcare space. Thus, you’ll also define disciplinary measures that take into effect if a breach occurs.

These are the tough realities we face when working within the healthcare space.

Conclusion

As I mentioned at the beginning, the majority of HIPAA violations are unintentional in nature.

Although the regulation’s Breach Notification Rule defines exceptions, the unfortunate reality is that most mistakes that happen when mishandling PHI won’t fall under them.

As a healthcare professional, you can’t count on your organization to function within the parameters of unintentional HIPAA violation exceptions. If you did, you’re going to see breaches occur often and lose a lot of revenue due to fines from the HHS.

There’s no one way to stop breaches from happening. You have to cover all of your bases and ensure that your running a compliant working environment in all aspects of your organization.

It's time to protect your bottom line.