How you respond to a possible HIPAA violation can depend on the nature of the possible violation, how you become aware of it, and where the event occurs.
For example, an alleged disclosure of more than the minimum necessary PHI in a circumstance that is unlikely to result in harm will be responded to differently than an allegation that a member of the workforce is stealing PHI to sell on the black market.
Additionally, you might become aware of a possible violation from a member of the workforce, a patient or plan member, or a regulatory agency such as HHS´ Office for Civil Rights (OCR), the Centers for Medicare and Medicaid Services (CMS), or a State Attorney General.
Finally, if your organization is a Covered Entity, and a possible HIPAA violation occurs at a Business Associate, you may have to respond to it differently than if the event had occurred on-premises – especially if you are made aware of it by HHS´ Office for Civil Rights.
Despite these variations, there are some common processes organizations should include in policies for responding to a possible HIPAA violation:
- Acknowledge the report of a possible HIPAA violation – explaining it will be investigated – and document both the report and the acknowledgement.
- Investigate the report – ensuring that, if the report claims an impermissible use or disclosure of PHI, the disclosure was not authorized by an individual.
- If there is no HIPAA violation, reply to the originator of the report explaining why – enclosing supporting documentation if replying to a regulatory agency.
- If the originator of the report is a patient or plan member, explain in your reply how they can escalate a complaint if they are not satisfied by the response.
- If a HIPAA violation has occurred, develop a corrective action plan to remedy the cause of the violation and write to the originator explaining the action you are taking.
- If the remedy involves a material change to policies and procedures, organize refresher training so members of the workforce are aware of the material change.
- If the violation is attributable to the breach of a HIPAA policy covered by your organization´s sanctions policy, enforce the appropriate sanction.
- If the violation involves a breach of unsecured PHI (as defined in §164.402), conduct a risk assessment to establish whether it is a notifiable breach.
- If the breach is notifiable, follow the breach notification procedures for notifying affected individuals and OCR – or FTC if your organization is not subject to HIPAA.
- Assist OCR or FTC with any subsequent investigation – demonstrating wherever possible your organization´s good faith efforts to comply with HIPAA.
As you might become aware of a possible HIPAA violation via an internal communication, a verbal or written complaint from a patient or plan member, or a request for information from a regulatory agency, we have used the term “report” to signify all types of incoming notifications.
You might also become aware of a possible HIPAA violation via an internal compliance review, a risk assessment, or a HIPAA training session in which – for example – a member of the workforce asks a question about a non-compliant work practice. While we have not included these sources in our checklist, many of the processes for responding to a possible HIPAA violation are the same.