Unfortunately, a person’s private health information can be exposed. This may constitute a HIPAA violation. When a violation occurs, the entity exposing the confidential information can be required to comply with the HIPAA Breach Notification Rule. This applies regardless of whether the unauthorized exposure was accidental or willfully done. However, not every disclosure is a breach.
Although there are some technical definitions of what does and does not constitute a breach, some organizations may decide to ignore the exceptions and go through the notification process to promote goodwill and/or in an attempt to limit the PR damage.
When the breach involves information that is unsecured (information that can still be used, deciphered, or read), the entity which originally exposed the information may be required to notify the impacted party, the Secretary of Health and Human Services and in some case, the media.
In the first case, communication needs to be made via first-class mail or potentially email. There are situations when multiple parties are impacted, but the offending entity doesn’t have current contact information available. In this case, the entity can be compelled to provide the breach notification on its website and via media outlets in the most probable areas inhabited by the impacted parties. The notifications need to be made within 60 days of the discovery of the breach.
In the second case, there is a process for notifying the Secretary. The entity is required to submit a breach report form. Depending upon how many individuals are impacted, the company can either submit the form within 60 days, or on an annual basis. If the breach involves more than 500 people, the notification must follow the 60-day window.
Preventing Additional Violations
Finally, organizations whose actions subject them to the HIPAA rules are required to have a written policies and train employees to avoid negligent, inadvertent or willful disclosures. They are also required to take disciplinary steps against those who violated the rules.
The HIPAA rules are there to protect people’s information. When those rules are ignored and/or violated, harsh penalties should be handed down. The trust between a physician and patient must be preserved. Confidentiality is of the upmost importance, especially when it comes to healthcare information.