What Is the Process for Handling HIPAA Unauthorized Disclosures?
With the industry averaging more than one data breach per day, unauthorized disclosures are a reality for today’s healthcare organization. We’ve all been there – a staff member accidentally miskeys a fax number, or a patient ends up with one page of another patient’s Protected Health Information (PHI) in their mailed medical records. What happen next determines if you have a Department of Health and Human Services (HHS) Office of Civil Rights (OCR) reportable breach on your hands. When notified PHI may not have been delivered as directed, your Compliance Team needs to spring into action to mitigate any risk to the PHI.
Don’t have a Compliance Team? Not sure what steps and procedures define your processes for HIPAA unauthorized disclosures? Read on for recommendations and best practices for mitigating compliance risk.
Develop Your Investigation Protocol
When you become aware of a possible unauthorized disclosure of PHI, you want to mitigate the possible risk to that PHI as quickly as possible. Because we handle tens of thousands of records per week, our volume is substantially higher than most – and we have a designated Compliance Officer and support team. As a result, we’ve developed our Unauthorized Disclosure Investigation Protocol based on years of experience and countless records processed.
From the moment an employee becomes aware of a possible incident, he or she has a short amount of time to begin a Risk Assessment form and submit it to the Compliance Officer. In many organizations we’ve talked with, employees are fearful of admitting mistakes. Part of creating a culture of compliance is to reassure your team that “to err is human and to report is divine.” If your staff isn’t reporting the occasional error to you, it’s not because they’re not making them. It’s that they’re simply not admitting it. Not knowing about an incident is far worse for your organization than being aware and taking appropriate measures to mitigate the damage of the compromised PHI.
When an incident occurs, we rely on our team to notify us immediately. The Compliance Officer then begins working the Risk Assessment right away to research how this situation occurred. Time is of the essence to make contact with the unauthorized recipient and work with them to securely destroy or return the PHI. Additionally, to assert a low probability of compromise to the PHI, a confidentiality statement is obtained from the unauthorized recipient, outlining the secure destruction and assurance of no further disclosure of any information viewed.
Obviously, you want to do what you can to prevent these incidents from happening again. Any employees involved should be retrained by their supervisors on the appropriate best practices and auditing procedures. Following the completion of retraining, the Compliance Officer completes the Risk Assessment. On the HIPAA Risk Assessment, the Compliance Officer reports on whether the PHI has been acquired or viewed, and determines the extent of the risk to the PHI, following both federal HIPAA guidelines as well as appropriate state laws. Ultimately, from the time your organization becomes aware of a possible breach, you have 60 days to complete your investigation, unless your state calls for a shorter amount of time.
Violation Versus Breach
Unauthorized disclosures typically fall into two categories, a violation or a breach. Occasionally a situation will present itself as neither a violation or breach, but still a “cause for pause” – we call these scenarios an “incident.” All unauthorized disclosures fall into one of these three categories at the conclusion of the Risk Assessment. Ultimately, the category determines what next steps are needed, if any.
A violation is an unauthorized disclosure that results in the conclusion there is a low probability of compromise to the PHI. If this low risk is determined and supported by the Risk Assessment, reporting the incident to the OCR and the involved patient is deemed to be unnecessary. For example, if PHI outside of what is authorized is disclosed to a covered entity, they have a legal responsibility to protect that PHI. Upon confirmation the covered entity has appropriately destroyed this information, this exhibits a low probability of compromise and can be classified as a violation.
In cases where you’re unable to determine there is a low probability of compromise to the PHI, the unauthorized disclosure is considered a breach. For instance, if you’re unable to obtain a confidentiality statement from an unauthorized recipient, there is not a proven low probability of compromise. This would likely justify categorizing the situation as a breach. In these instances, you have the arduous tasks of reporting the breach to the OCR and also notifying a possibly angry patient, explaining to them how their sensitive information was compromised.
It’s not just the infuriated patient your organization needs to worry about though. In May of 2017, the OCR issued fines to two separate organizations for a single-patient breach. These penalties broke the mold, as OCR had never previously issued fines for breaches impacting one patient total. Knowing that the OCR could issue up to $50,000 fine per incident with an annual cap of $1.5 million is the stuff healthcare nightmares are made of.
Let Go of Your Liability
If you’re exhausted just thinking about the possibility of angry patients and hefty financial penalties, fortunately HIPAA has offered another solution – utilizing a business associate. Partnering with a business associate to handle your release of information not only offloads the work associated with records release but also has the benefit of transferring your liability to that business associate partner. Put simply, if the business associate has a breach, they are responsible for the mitigation – not you.
ScanSTAT’s team of healthcare data experts is ready to handle this HIPAA compliance burden for you. While our accuracy rate is sky high, we’ve also experienced the occasional miskeyed fax number. We understand the importance of policies and procedures and have the processes in place to protect your PHI. When the rare mistake happens, we have the team to mitigate the risk – no sweat for you!
Ready to get the liability of a possible HIPAA incident off of your plate? Contact us today to discuss how we can help.