Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • What Are the Ways to Respond to an Unintentional HIPAA Violation?
  • Cyber Attacks
  • Data Breach

What Are the Ways to Respond to an Unintentional HIPAA Violation?

5 years ago Tripwire Guest Authors
What Are the Ways to Respond to an Unintentional HIPAA Violation?

Accidents or mistakes are bound to happen. Even if healthcare providers and business associates are compliant to HIPAA Standards, there is always a possibility of unintentional or accidental disclosure of Protected Health Information (PHI). Accidental disclosure of PHI includes sending an email to the wrong recipient and an employee accidentally viewing a patient’s report, which leads to an unintentional HIPAA violation.

In this article, we will cover how healthcare providers, employees and business associates should respond in the event of an accidental PHI disclosure.

How should employees respond to an unintended HIPAA violation?

Despite every precaution taken, accidents can and do still happen. In the event that an unauthorized employee gets access to a patient record, sends an email or fax to the wrong recipient or produces any other form of accidental disclosure of PHI, they must make sure that the event is reported to the concerned authority immediately.

It’s then point that the authority’s Privacy Officer can analyze the incident and suggest corrective measures/relevant procedures to reduce the potential damage. Incidents should be investigated, and risk assessments should be carried out. Further, the Department of Health and Human Services’ Office for Civil Rights (OCR) should receive a report about the incident that includes an account of what happened from the party involved.

Moreover, they should identify the relevant patient records which were disclosed. Failure to report such a breach could result in a more serious security incident as well as disciplinary action against both the employee and the employer.

How should covered entities respond to an unintended HIPAA violation?

Accidental HIPAA violations should be taken seriously and necessitate risk assessments that evaluate the level of compromise. The risk assessment should help to determine the following:

  • The nature of the breach,
  • The potential risk involved due to the breach,
  • The risk of reoccurrence,
  • The kind of information accessed as well as whether the PHI information was acquired or just viewed,
  • Details of the person having possession of the information,
  • Information about parties to whom the information was disclosed,
  • Data about the patient potentially affected, and
  • Verification as to whether the risk is mitigated and to what degree it is mitigated.

Once the risk is identified, it should be reduced to an acceptable level and managed. It is important to note that the notifications should be issued as per the HIPAA Breach Notification Rule. However, it is also important to note that not all PHI breaches need to be reported. There are exceptions wherein a HIPAA violation may not be disclosed.

  1. An unintentional acquisition or access of PHI by a member or person within the scope of the authority. For instance, an email sent to the wrong staff member wherein the data was accessed and viewed but in the realization that the mistake was securely deleted with no further disclosure.
  2. Unintentional disclosure of PHI by a person who is authorized to access PHI of another person who is covered by the participating entity (for instance, providing medical information of a wrong/another patient to other authorized individuals).
  3. If the covered entity or business associate has faith that the unauthorized person who mistakenly has access to information will not retain the information.

While such cases need not require breach notifications, members who find themselves in these types of situations are expected to notify their Privacy Officer of the incident. Other than the exceptional cases mentioned above where a PHI breach occurs, OCR and the individuals affected must be informed of the incident within 60 days.

How should business associates respond to an unintentional HIPAA violation?

Business associates should inform their covered entity immediately in case of a HIPAA violation. A detailed report on the accidental HIPAA violation or breach should be provided to ensure the covered entity can accordingly determine the best course of action. The business associate agreement should contain all the procedures that need to be followed if an accidental HIPAA violation occurs.

The HIPAA regulations clearly state that in case of an accidental HIPAA violation, it should be reported to the covered entity within 60 days of discovery. It is important to note that the notification should be sent as soon as possible without any delays. The covered entities should get every detail of the incident from their business associate to build a plan of action to deal with the event.

The best option is to always have the basic processes in place for HIPAA compliance. A stitch in time always saves nine.

About the Author:  Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec, a foremost Company in the Infosec Industry. He holds more than 25 years of experience in the Information Technology Industry and has expertise in Information Risk Consulting, Assessment, & Compliance services. His company, VISTA InfoSec, has been instrumental in helping top multinational companies achieve compliance in areas such as PCI DSS, PCI PIN, SOC2, GDPR, HIPAA Certification, MAS TRM, PDPA, PDPB to name a few. Mr. Sahoo for his extensive contribution to the industry has also been inducted into the CSI – Hall of Fame for his significant contributions to the fraternity and has also been awarded the “Crest of Honor” by the Indian Navy.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” What Are the Ways to Respond to an Unintentional HIPAA Violation?” appeared first on TripWire

Source:TripWire – Tripwire Guest Authors

Tags: Compliance, Privacy, TripWire

Continue Reading

Previous A Google Drive ‘Feature’ Could Let Attackers Trick You Into Installing Malware
Next How IT-OT Security Has Changed in the Wake of COVID-19

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

3 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

3 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

3 days ago [email protected] (The Hacker News)

Recent Posts

  • eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware
  • Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm
  • Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
  • Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
  • CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT