Three Exceptions to Unintentional HIPAA Violations
HTML-код
- Опубликовано: 30 июл 2024
- The majority of HIPAA violations are unintentional.
There’s no need for statistics to validate the statement I just made. Instead, all you need to do is think about it.
Do you think most organizations or the employees working for them go out of their way to expose the sensitive data of their patients? The answer to that question for the majority of cases is no.
LINKS:
____________________________________________
etactics.com/blog/examples-of...
____________________________________________
The reality is that healthcare organizations and their business associates want to do whatever they can to safeguard the protected health information (PHI) of their clients.
Of course, that doesn’t mean a breach due to malicious intent by an employee hasn’t happened before.
In 2003, Dr. Huping Zhou snooped into the medical records of four high-profile celebrities. His case was one of the first-ever where the HIPAA violation that occurred was malicious.
So if most violations are unintentional, why does the Department of Health and Human Services (HHS) dole out fines at all?
Well, it comes down to criteria spelled out within a section of the regulation.
The HIPAA Breach Notification Rule states that an impermissible use or disclosure of PHI is a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability of compromised PHI based on a risk assessment of at least the following factors: The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the protected health information or to whom made the disclosure; Whether the protected health information was actually acquired or viewed; and The extent of mitigation on the risk of the protected health information.
Not everything that happens with HIPAA is considered a breach.
Luckily, this section also defines three exceptions to a breach. Let’s go over each exception and give clear examples of unintentional HIPAA violations based on them.
The first HIPAA violation exception is called an unintentional acquisition.
In order to truly understand what that is, let me paint a picture for you.
Let’s say you, as the doctor, just got done with a routine appointment with one of your most loyal patients, Jack A. Smith.
Of course, after the appointment, your front office will; Schedule a follow-up with Jack, Make updates to his medical record, and Begin the billing process.
However, while accessing the hospital’s electronic medical record system (EMR) your employee accidentally enters the wrong middle initial. The result brings up the medical record for Jack B. Smith, a patient from a different department. The problem here is that your employee, although obviously authorized to view PHI, doesn’t have internal approval to view Jack B. Smith’s record.
Is this a breach?
Well, the access or use made by the employee in this example happened in good faith and within the scope of authority, which is the definition of the unintentional authorization exception.
The second type of HIPAA violation exception is what’s called an inadvertent disclosure.
At your healthcare organization, you have safeguards in place as a way to combat oversharing PHI. These safeguards include asking your employees to talk about patients without using their names and set screensaver times when computers aren’t in use.
Even with those rules in place, though, it’s still possible that one of your employees sees PHI they don’t have permission to view.
Like any business, you want your employees to build comradery together. After all, if your team builds strong, friendly relationships together they’re going to be happier when they come into work.
One of the best ways to build a positive culture with your employees is to encourage them to take each other to lunch. Of course, in order to go to lunch, they have to see if there’s any interest. In other words, they’d have to walk to your office.
Well, now that it’s lunchtime they’re headed to your office. Once they’re standing in your doorway they knock and you turn your chair around to chat with them before heading out.
The problem here is that once you turn your chair around, it exposes your computer’s screen. Naturally, your new coworker catches a glimpse of what you have open on it; the record of the patient that’s coming in later that day. This employee isn’t allowed to see this.
► Reach out to Etactics @ www.etactics.com
►Subscribe: rb.gy/pso1fq to learn more tips and tricks in healthcare, health IT, and cybersecurity.
►Find us on LinkedIn: / etactics-inc
►Find us on Facebook: / etacticsinc
#HIPAA #HIPAAViolation
I am so glad I saw this video and understand the examples.
SCI CLASS
Angela, Audrey, Sammantha, and the other girl
I went to an emergency room a couple months ago and they were packed they did my iv behind the desk in a chair right next to another patient talking to their doctor and I could easily see all the computers they were working on. Plus I could hear everyone’s story’s because I sat there for an hour. It was crazy.
Last night, I was discharged from a local hospital’s emergency room.
On the back of my discharge papers was a page that contained another patient’s private information. This page was stapled to the back of my discharge papers upside down.
The other patient’s name was nowhere close to mine.
I immediately returned back to the ER front desk and showed that page to them.
That hospital told me they take PHI issues like this very seriously. I don’t know how someone would blindly pick up pages from a printer without actually looking at the pages and confirming they got the correct patient.
What about email? I had to send a mass email to patients with the same email thought I did bcc but I didn’t. There was no way to change or stop it. There was only email addresses shared. What can be done?????
A psyc doctor just refuses to give me my medical records idk what to do
That is a violation of HIPAA, they are required to give your records to you in a timely matter. I hope you got them! If not you definitely have a potential for a lawsuit
Took my mom to her doc's appointment. When she was finished they gave her a printout of her profile and medical info. We got home and realized it was the wrong patient's printout. Which means they've been passing out people's printout one person off (at least).
My mom has since passed away. They won't give me her medical records, even though I'm her emergency contact. I'm slowly leaning towards "outing" that hospital for the previous HIPAA violation because they won't give me my mom's records. Also, I don't have her patient # needed to fill out a Medical Authorization form to request the records. Advice?
We can't give you any legal advice, but your local legal team may be able to answer these questions.
Hipaa does nothing I presented a case that was so obvious a blind man could see it the disclosureer was so satisfied at what he did he moved to another department to start over in disclosing his new victims this RN who then became a NP all in a matter of 6 months no previous experience or education here in San Diego california.
I went back to my doctor about a medication,I have reaction and the doctor his medical assistant they are conversation about my medical issues also to another patient too also my information text the conversation was back and answer the doctor and medical assistant