How to Report a HIPAA Violation
Legally Reviewed and Edited by: Terry Cochran
NOTE: “This blog is for informational purposes only. Cochran, Kroll, & Associates, P.C does not provide services directly related to HIPAA violations.”
In recent years there has been a proliferation of health care data breaches and several sensational reports of large HIPAA privacy and security breaches, due to cyberattacks and ransomware attacks; however, most breaches take place due to stolen laptops or computers, the unsecured transmission of health information, ignorance and man’s insatiable need to gossip. A personal injury lawyer at Cochran, Kroll & Associates, P.C. can help you report a violation and manage a claim.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act of 1996) is federal legislation that provides data privacy and security provisions for safeguarding medical information. Two components that affect the privacy and security of your PHI (protected health information) are:
- HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule gives you rights over your health information and provides rules as to who can view or receive your information, whether written, electronic or oral.
- HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security in electronic form.
Guidelines set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act, were included in the HIPAA omnibus rule in 2013, which now included business associates of covered entities. In 2016 cloud service providers and other business associates were included.
The HIPAA Breach Notification Rule requires covered entities to notify patients following a data breach. In addition, each state may have additional privacy rules.
Protected Health Information Under HIPAA
The HIPAA Privacy Rule protects all 18 fields of “individually identifiable health information,” called “protected health information” (PHI), held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
- Demographics, e.g., a patient’s name, address, birth date, and Social Security number
- Past medical history
- Physical or mental health condition
- Any care provided to an individual
- Information concerning the payment for the care provided that identifies the patient
- Information for which there is a reasonable basis to believe could be used to identify the patient
For de-identified data, however, there are no restrictions to its use or disclosure. This information may be used for research or data analysis or similar.
Covered Entities under HIPAA
Examples of covered entities:
- Health care providers
- Health Plans
- Health care clearinghouses
HIPAA business associates to covered entities, for example
- Accounting or consulting firms
- Medical transcriptionists
- Pharmacy benefits managers
- Third-party administrators
- Mobile health application developers
- Anyone with access to PHI
Most Common HIPAA Violations
HIPAA breaches mostly fall into these categories:
- Uses and disclosures
- Access controls
- Notice of Privacy Practice
- Minimum Necessary Rule
- Improper Security Safeguards
- Stolen/lost laptop, smartphone or USB device
- Business associate breaches
- EHR breach (access issues, looking at patients’ records you are not actively treating)
- Office break-ins
- Sending PHI to the wrong patient/contact, proper consent lacking
- Discussing PHI outside of the office
- Social media posts
- Malware incident, hacking or ransomware attack
Your healthcare provider must provide you with information on how they protect your PHI and must notify you if there was any breach.
How to Report a Breach
If you have been witness to a violation or received information not meant for you, or heard about stolen electronics going unreported, or any of the breaches mentioned, you may file a complaint. You need to be sure that it is a covered entity or a business associate that was compromised, and you can file the complaint on behalf of yourself, for someone else or your organization.
You can fill in an electronic form at the OCR website; however, you need a lot of detail to be able to do so. It is best to contact a medical lawyer at our law firm to assist you with the details. You have to file the complaint within 180 days, and proof of the breach will help the process move much faster.
“This blog is for informational purposes only. Cochran, Kroll, & Associates, P.C does not provide services directly related to HIPAA violations.”
Disclaimer : The information provided is general and not for legal advice. The blogs are not intended to provide legal counsel and no attorney-client relationship is created nor intended.