pollen logo
pollen logo

    • What to Do After a Potential HIPAA Violation

    avatar

    March 24, 2022

    A person working at a laptop computer.

    We tend to worry the most about HIPAA violations that result from bad actors. A hacker gets into your computer and downloads the data. A thief steals your cell phone, which has unsecured protected health information about clients stored on it. A disgruntled staff person decides to CC all of your current clients on an email. 

    These things happen, and of course every health care practitioner should take meaningful steps to reduce risk. But most HIPAA violations actually aren’t the result of bad actors. They’re the result of human error. In other words, they’re common, well-intentioned mistakes. A patient authorizes the release of PHI, but you accidentally email it to the wrong address. You don’t realize that you’ve connected to a telehealth session where someone else in your home can overhear on a Bluetooth-connected device.

    What’s Considered a HIPAA Violation?

    Regardless of whether a potential HIPAA violation was the result of an honest mistake or a bad actor, there are specific steps that you must take as soon as you discover the potential violation. It may be tempting to sweep such an event under the rug and pretend that it never happened. But doing so only compounds the risk to you and your clients. You can reduce this risk—and work quickly to restore trust—by determining what happened, and reporting violations when necessary.

    The process starts with a four-part analysis of whether unsecured PHI has been compromised. To do this, look to the following considerations:

    A banner with a photo of a computer showing a HIPAA-compliant electronic scheduling system and a clickable button to try SimplePractice free for 30 days

    1. The nature of the information
    What type of PHI has potentially been compromised? Could it be used to re-identify clients? Client or patient numbers, for example, represent PHI. But if they aren’t accompanied by other potentially re-identifiable information—such as birth dates—patient numbers in and of themselves may not present high risk that the information could be tied back to specific patients. The more sensitive the information involved is, the greater the risk. (Note that if the only information breached was electronic PHI that was encrypted or otherwise unreadable, there is no need for reporting.)

    2. Who received or accessed the information
    If the information was sent to another health care professional, they also have familiarity with HIPAA and a legal obligation to protect PHI. On the other hand, someone who could use the information to exploit patients or otherwise further their own interests presents much higher risk.

    3. Whether the information has likely been viewed
    If you accidentally hand someone a client file, and then realize your mistake and immediately have the person hand the file back, then the PHI likely hasn’t been viewed, and you likely wouldn’t need to report it. It can be much harder to determine whether electronic PHI has been viewed by the person who received it.

    4. Whether there has been any risk mitigation
    If the information was mistakenly emailed to the wrong person, did you get written assurance from the recipient that it would not be further distributed? If your phone or laptop was lost or stolen, were you able to immediately block access or wipe the device’s memory?

    Examine these four factors to determine the likelihood of a breach, and the potential impact of that breach. If you believe that there is a low probability that PHI has actually been compromised, you may choose not to report it. However, you do have a responsibility to document how you reached that conclusion.

    A banner with a photo of a computer showing a HIPAA-compliant electronic scheduling system and a clickable button to try SimplePractice free for 30 days

    How to Report a HIPAA Violation

    If you conclude that a breach has occurred (and to be clear, this should be your default position when PHI is lost, stolen, or improperly accessed, unless the review process above leads you convincingly to believe differently), there are additional steps you must take. Those steps depend in part on how many clients’ information has been compromised.

    Step 1: Notifying clients
    Clients whose data may have been compromised must be notified individually, typically by phone or in writing, “without unreasonable delay,” and within 60 days of the discovery of the breach. If the breach involves 10 or more clients for whom you have out-of-date or inaccurate contact information, you should post the notification on the homepage of your website for at least 90 days. That notification must include a toll-free number clients can call for assistance in determining whether their data was involved in the breach.

    Step 2: Notifying HHS
    The Department of Health and Human Services should be notified of the breach. For breaches impacting fewer than 500 clients, you can notify HHS within the first 60 days of the next calendar year. For breaches impacting more than 500 clients, HHS must be notified within 60 days of your discovery of the breach. Check the HHS website directly for more information about breach reporting, as well as the breach notification forms you need to report.

    Step 3: Notifying the media 
    For breaches impacting more than 500 clients, a media source that services the area where your clients live must also be notified about the nature and extent of the breach. This is to ensure any clients who don’t receive your individual notice for any reason also can be notified. 

    Practitioners are sometimes reluctant to report potential HIPAA violations out of fear that they’ll be punished. However, it’s relatively uncommon for these notifications to result in any actions from HHS, or for any clients to lodge complaints that may lead to actions from a licensing board. HHS, clients, and licensing boards usually all recognize that even with strong protections in place, mistakes sometimes happen. 

    Your diligence in responding to the discovery of a breach can go a long way in reinforcing goodwill, and preventing any action against you. On the other hand, if you fail to report a breach and that’s later discovered by your clients or other authorities, they may infer that both the breach and your failure to report it were the result of irresponsibility or even bad trust—both of which can erode their trust more than reporting the breach in the first place. 

    There are specific requirements when it comes to the content of the breach notification letter you send to clients. You must describe the nature of the breach, including the date it occurred and how you discovered it. You also must include specially what PHI may have been accessed, and detail the steps you’re taking in response. You also have to include free and accessible contact information where your clients can find more information. To make this process a bit easier, you can use a letter template that you can customize to your specific situation. 

    Data breaches can be frightening for professionals and clients alike. It’s  often the response to a breach, rather than the existence of a breach, that says the most about you as a professional. If you treat it as a learning experience, follow through on your reporting responsibilities, and take steps to reduce the risk of future breaches, you can effectively and professionally get through a difficult moment. 

    A blue clickable button to try SimplePractice free for 30 days

    Stay secure with HIPAA-compliant client messaging

    SimplePractice practice management software is an EHR system that includes HIPAA-compliant Secure Messaging that makes it easy to securely communicate with your clients and team members.


    Try SimplePractice free for 30 days. No credit card required.

     

    Disclaimer: This article is for informational purposes only, and should not be considered legal or ethical advice. For specific guidance for your situation, consult with an attorney or your professional liability insurer.

    FacebookTwitterLinkedin
    Create a practice
    that can grow
    with you
    Start for free
    List Checkmark
    Free for 30 days
    List Checkmark
    No credit card required
    woman creating patient intake form for simplepractice software integration

    More Stories

    Silhouettes of two people are facing each other. Both are filled in with cloudy grey patterns.
    A client doomscrolls on social media on their smartphone. This client has reported that social media has had adverse effects to their mental health. Read more to learn about the relationship between mental health and social media.
    A client holds their head in their hands-frustrated as they struggle through one of the 5 stages of psychosis.

    Stay inspired

    Get the latest stories from your peers right to your inbox.

    Popular Articles

    A collage of a woman on a laptop computer as she figures out the tax deductions for therapists she qualifies for

    How to Feel Good About Earning Money in Private Practice

    Like all helping professionals, speech-language pathologists (aka SLPs) have invested in advanced degrees and in countless continuing education courses and … Continued

    Jena Castro-Casbon, MS CCC-SLP
    A female therapist conducts a psychotherapy session with a female client sitting on a couch, psychotherapy is one of the top CPT codes

    Top 10 Mental Health CPT Codes

    Searching for a list of current procedural terminology codes (aka CPT codes)? Or, perhaps you’re looking for the top mental … Continued

    Jess Barron, Editor-in-Chief
    An illustration of bipolar disorder, with a face separated down the middle by a flower vase.

    What Is Bipolar Disorder?

    Formerly called manic-depressive illness or manic depression, bipolar disorder is a treatable mental health condition marked by extreme shifts between … Continued

    Andrea Rosenhaft, LCSW-R

    Are you interested in writing for Pollen?

    Learn More

    Got a question for Ethics Consult?

    Submit a Question