HIPAA Breach

HIPAA privacy and security violations can cost covered entities and their business partners fines ranging from $110 to $55,100. (45 CFR 160.404). The Office for Civil Rights (“OCR”) must impose a required fine of $11,002 to $55,100 if the infraction was the product of “willful disregard.” (45 CFR 160.404). To make matters worse, under HIPAA’s “willful negligence” provisions, covered entities and their business partners who fail to self-report breaches of unprotected protected health information (“PHI”) to HHS and the impacted individual may be subject to statutory fines. The good news is that as long as the covered entity or business associate did not engage in “willful disregard” and fixed the issue within 30 days, the OCR cannot levy a fine. (45 CFR 160.410(b)).

Reacting to Potential HIPAA Breache: Given the potential repercussions, it is imperative that covered businesses and business partners respond to any HIPAA breaches appropriately in order to avoid or reduce their exposure. The actions listed below can be taken to help you spot HIPAA breaches and take prompt action.

1 Stop the breach

A breach’s repercussions may be avoided or lessened with quick intervention. Get assurances from recipients that they haven’t used or revealed the PHI and/or won’t use or disclose PHI that was improperly accessed before stopping any improper access to PHI and retrieving any PHI that was mistakenly disclosed. Keep a record of your actions and the recipient’s reaction.

2. Contact the privacy officer

A appointed privacy officer who (ideally) possesses the education and experience necessary to thoroughly investigate and react to a possible breach is required for each covered organisation. Workforce members should be trained to notify the privacy officer as soon as they become aware of a breach so that appropriate action can be taken to investigate, mitigate, and respond to any potential breach (see 45 CFR 164.404(b); 78 FR 5647). Deadlines for responding to breaches typically run from the date that anyone in the organisation knew of the breach except the person committing it.

3. React quickly

There are at least four reasons why prompt, suitable action is essential. The effects of any breach must first be actively mitigated by covered companies. (45 CFR 164.530(f)). An essential consideration in assessing whether a breach needs to be disclosed is whether timely action can assist prevent or reduce subsequent breaches. (45 CFR 164.402). Thirdly, as was previously said, a covered corporation or business associate may avoid fines if a violation is corrected within 30 days. (45 CFR 160.410(b)). Fourth, the breach notification regulation mandates “without unreasonable delay,” but no later than 60 days following discovery, the provision of notice of reportable breaches. (45 CFR 164.404).

4. Impose penalties

Employees who violate HIPAA or privacy policies must face appropriate punishments, which covered organisations must impose and record. (45 CFR 164.530(e)). The punishment should be appropriate for the crime; options include a written warning, more training, suspension, or termination.


Comments are closed