Inadvertent Disclosures under HIPAA: Best Practices to increase compliance and reduce liability

April 20, 2022

879

Post By: Raj Shah, Senior Regulatory Attorney at MagMutual & Zari Shah, Risk Intern at MagMutual.

Inadvertent disclosures and the unintentional acquisition of protected health information (PHI) are situations where a patient’s PHI has been unintentionally compromised. Because these types of situations are low risk, they are excluded from the definition of breach and do not require notification. But, if the risks associated with inadvertent disclosures are not mitigated properly, misuse or further transmission of the compromised data can ultimately harm a patient.

If an inadvertent disclosure has occurred, there are several steps healthcare organizations can take to avoid further damage. The healthcare organizations should assess the nature and extent of the disclosure and the type of information disclosed. Healthcare organizations should notify the recipient of the unintentional disclosure and destroy the data. If the compromised data was actually acquired and viewed, the recipient should destroy the data to avoid further transmission and disclosure.

In general, entities can increase HIPAA compliance by providing annual trainings, sending compliance reminders to medical staff, setting stricter work etiquette guidelines, providing a more secure method of communication, and by staying up to date with HIPAA regulations.

What is an inadvertent disclosure?

An inadvertent disclosure is an event where a health professional unintentionally reveals protected health information (PHI) to an unauthorized person by mistake.

Inadvertent disclosures and breach notifications

Generally, if PHI is disclosed to unauthorized personnel, a breach of PHI is presumed to have occurred. Depending on the size of the unauthorized disclosure, HHS and affected individuals may have to be notified. However, some low-risk situations are excluded from the definition of breach. Inadvertent disclosures and unintentional acquisition or access to PHI are excluded from the definition of breach and therefore do not require notification.

What are the associated risks of inadvertent disclosures?

If actually accessed or viewed, unintentional disclosures of PHI put patients at risk because the data can be misused or further transmitted to other entities or personnel. For example, if the compromised data is very sensitive, it can be used against the patient to harm them.

Common HIPAA errors with inadvertent disclosures:

Fax or email is sent to a member of staff in error

One of the most common mistakes is inadvertently disclosing PHI by email or fax. For example, a physician may fax a document containing protected health information to another member of staff in error. Or, a medical staff member may send a bill, which contains protected health information, via email to the wrong email address. The risks associated with these types of inadvertent disclosures can be mitigated by immediately contacting the recipient and asking them to destroy the PHI before it is viewed. If the PHI was actually viewed by the recipient, the risks can still be mitigated by destroying the PHI to avoid any further disclosures.

Disclosing protected health information (PHI) of the wrong patient to authorized personnel

Another common scenario where inadvertent disclosures occur is sharing medical information about the wrong patient with authorized personnel. For example, a physician may intend to share a patient’s PHI with another authorized member of staff however, the physician accidentally shares the PHI of a different patient instead. To mitigate risk, the recipient must destroy the PHI to avoid further disclosures that may harm the patient.

Releasing the wrong document that has not been approved for release – even if the patient is correct

A medical staff member may send the wrong document of a patient to another member of staff. Even if the patient is correct and the recipient is authorized to view certain documents, the particular document(s) sent in error may contain PHI that the staff member was not authorized to receive. For example, a physician sends unrelated PHI to the radiologist. While the radiologist is authorized to view certain PHI of the patient, the disclosed PHI was unauthorized. Under these circumstances, the physician should immediately notify the radiologist and destroy the PHI to avoid further disclosures.

Steps to take once a breach has been discovered

Several steps should be taken once an unintentional disclosure of PHI has been discovered to follow HIPAA compliance policies and mitigate damage. First, the nature and extent of the disclosure should be assessed. Second, an evaluation of the type of information disclosed. Disclosed information could include a patient’s name, date of birth, social security number, diagnosis, phone number, address, treatments received, or other demographic information. Third, did the unauthorized recipient actually acquire or view the information? If so, are they under an obligation to protect the PHI? Finally, to what extent, if any, have the risks been mitigated? To prevent further damage, the disclosed PHI should be destroyed and no further disclosures should be made unless permitted by HIPAA.

How to safeguard protected health information (PHI) to avoid common mistakes?

If a breach has occurred, take responsibility and help prevent further breaches by notifying the affected person(s), reporting the violation, and destroying the unprotected information. To increase future compliance and reduce liability, employers can send employees reminders, provide annual trainings for employees, set stricter guidelines for workplace etiquette to protect patient data, provide a more secure method of communication, and stay up to date with HIPAA regulations.

To summarize:

Once a breach has been discovered, compliance professionals should: