Unintentional Violations of HIPAA
While we all do our part in being HIPAA compliant, there will be those rare occasions where we unintentionally break our compliance with HIPAA. As an unfortunate result, action must be taken to repair the damage and the violation reported to the OCR.
Here are a few common unintentional HIPAA Violations.
Emailing Another That Isn’t an Authorized Member
An employee of a covered entity can accidentally send ePHI to an unauthorized member of the staff of a covered entity’s associate. This could be done fairly easily if they used the auto-suggest feature of emailing the client when entering in an address and doesn’t double check to make sure the one they’re about to select and hit send to is actually the correct person or not.
If such a case unfolded, the staff would have to inform their Privacy Officer, who in turn must report it to the OCR within 60 days, or at the end of the year. However, if the number of receivers of the said email were more than 500 entities, then the Privacy Officer would need to report the break to the OCR as soon as possible within 60 days of it happening.
Social Media HIPAA Violations
Probably one of the most difficult in a sense to those that might talk about their work on social media--especially if they see an article or picture of something that they saw first hand. Commenting about a patient’s PHI on social media, even when the intention was not to share such information, is a HIPAA violation. A good example is in May of 2017, Onslow Memorial Hospital in Jacksonville, NC, dismissed an employee after she commented about a patient online.
Related Post: HIPAA Compliance and Social Media
While she never mentioned the patient by name, she did give enough information to target the location of where the patients, from the car crash, went after the accident and confirmed they weren't wearing their seatbelts as she commented that they “Should’ve worn a seatbelt.” The hospital did not see the comment as advice but as an example of HIPAA violations on Facebook. The hospital also reported the incident to OCR soon after.
While it’s obvious that the employer did not authorize the hack, they still bear responsibility for not updating their technical capability to prevent hacking in the first place. OCR must be informed of the hack within 60 days as soon as possible--especially when it involves more than 500 patients having their medical information stolen. The employer will also have to inform those patients of the breach and do an audit to find the extent of the violation.