HIPAA Breaches: What to Do When Medical Provider Mistakenly Sends Protected Health Information to the Wrong Patient

19 May HIPAA Breaches: What to Do When Medical Provider Mistakenly Sends Protected Health Information to the Wrong Patient

Imagine the following scenario (this is based on a true story, but no names have been mentioned for a reason….I like the mystery!) No seriously, this happens with some regularity. 

You are a medical worker at a HIPAA covered entity (say a doctor’s office). You use an encrypted email service to send prostate biopsy results to a patient via the encrypted email. But you get a reply back from the recipient saying, “Ummm…. I think you meant to send this to someone else. I am a woman, and I don’t have a prostate.” It is then when you realize, you made a typo in the email address. What do you do?

One of the key requirements of HIPAA is to notify patients in the event of a breach of their protected health information (PHI). This includes situations where a medical provider mistakenly sends PHI to the wrong patient. 

Is this a HIPAA Breach?

A HIPAA breach is defined as an impermissible use or disclosure of PHI that compromises the security or privacy of the information. A breach can occur in many different ways, such as theft or loss of physical records, unauthorized access to electronic records, or accidental disclosure of information. Regardless of how the breach occurs, HIPAA requires covered entities to notify affected individuals in a timely manner. Mistakenly sending PHI to the wrong person is a breach. 

When is Notification Required?

There are several different addressees for HIPAA breach notification. You may have to notify patients, the Department of Health and Human Services, and the media in certain circumstances. A covered entity must notify HHS when a breach of PHI affects more than 500 individuals. However, covered entities are encouraged to provide notification for all breaches, regardless of the number of individuals affected. Notification must be provided within 60 days of discovering the breach. If the breach affects more than 500 individuals, covered entities must also notify the media and HHS.

What Needs to Be Documented?

In the event of a HIPAA breach, covered entities must document the following:

1. The date of the breach
2. The date of discovery of the breach
3. A description of the PHI involved in the breach
4. The individuals who were affected by the breach
5. A description of the steps taken to mitigate harm to affected individuals
6. A description of the steps taken to prevent future breaches
7. Any other relevant information

Documentation is critical in the event of a HIPAA breach. It not only helps covered entities comply with notification requirements but also serves as evidence of their efforts to protect patients’ privacy and security. There is no special form. Most medical practices have a sort of general incident report form, which can be used so long as the above information is collected. 

What Training Can Be Done to Mitigate Future Errors?

Prevention is key to avoiding HIPAA breaches. Covered entities can take several steps to reduce the risk of accidental disclosure of PHI, including:

1. Staff Training: Covered entities must train their workforce on the proper handling of PHI. This includes training on HIPAA regulations, policies, and procedures related to the use and disclosure of PHI. At a minimum, covered entities should be doing yearly training, but we recommend doing additional training when incidents take place.

2. Technical Safeguards: Covered entities must implement technical safeguards to protect PHI from accidental disclosure. This includes using access controls, encryption, and secure messaging systems.

3. Policies and Procedures: Covered entities must have policies and procedures in place to guide staff on the proper handling of PHI. This includes policies on sending PHI via email or fax and procedures for verifying patient identity before disclosing PHI.

4. Risk Assessments: Covered entities must conduct periodic risk assessments to identify potential vulnerabilities in their systems and processes. This can help them proactively address areas of weakness before they lead to a breach.

5. Incident Response Plans: Covered entities must have an incident response plan in place to guide their response in the event of a breach. This includes procedures for notifying affected individuals, the media, and regulatory authorities.

Conclusion

HIPAA breaches can be costly and damaging to both patients and covered entities. In the event of a breach, covered entities must document the breach and take steps to mitigate harm to affected individuals and prevent future breaches. Prevention is key to avoiding HIPAA breaches, and covered entities can reduce the risk of accidental disclosure of PHI by providing staff training, implementing technical safeguards, having policies and procedures in place.

If you would like to conduct a risk assessment on a specific incident or on your entire HIPAA compliance plant, please contact us or schedule a consultation.