IT Security Blog | Rivial Security

4 Steps for Handling HIPAA Violations | Rivial Security

Written by Randy Lindberg | 19 May 2023

In a recent post, we covered HIPAA Compliance, and everything your business needs to know if it is handling any kind of data related to patients having or that have had medical treatment. This data can be medical records, but it can also be billing and contact/identity information.

 

Need Help With Your Cybersecurity Program?

Accurately measure risk & automate compliance with Rivial Security.

 
 
As easy as it seems to be to violate compliance, albeit intentional or unintentional, you may be wondering what to do if your company is responsible for a HIPAA violation. There are several steps you need to take the moment a HIPAA violation comes into your purview. We’re covering all four of them below.

 

How to Handle HIPAA Violations

 

1. Put a halt to the breach.

The moment your organization learns of the breach, you must do what is necessary to stop it. For example, if you learn that you’re giving access to an employee who does not need it, you must revoke access immediately.

In some cases, when the violation is this limited, the steps for how to handle HIPAA violations stop there. You can document the situation for your annual reports, and then go about business as usual. The reason for this is because the breach involved what The U.S. Department of Health and Human Services (HHS) refers to as, the “unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.”

However, this is not always the case. More often than not, you’ll need to complete the other three steps.

 

Need Help With Your Cybersecurity Program?

Accurately measure risk & automate compliance with Rivial Security.

 

2. Determine the extent of the breach.

You need to investigate how many patients were impacted. If possible determine:

 

  • Who was impacted
  • When the breach happened
  • Where the breach occurred, and how it was discovered
  • How these violations transpired - this is critical to prevent future breaches

 

The more information you can gather at this stage the better. What you learn can help you determine the best means for how to proceed as well as how to prevent violations from happening in the future.

3. Notify patients and/or the HHS of the breach.

If fewer than 500 patients were impacted, you are not obligated to inform the HHS of the occurrence immediately. You will need to document what has transpired and file the report of the breach with the HHS by the end of the calendar year the breach happened in.

If more than 500 patients had their rights violated, notifications must happen immediately. As HHS explains, in the event your company’s violation impacts more than 500 people within a single “State or jurisdiction,” you may need to notify patients that were impacted, local media, and the secretary of the HHS. For full details on Breach Notification Requirements, visit the HHS website.

Failure to notify the HHS can result in a fine of $10,000 per violation or more if the violation is discovered later. This is why self-reporting is critical. The exact number of the fine will be dependent on whether the violation was an accident, your company was unaware of the breach, or if it was a result of willful neglect. Another factor in determining the final number of the fine is whether the breach has been corrected or not.

4. Impose stricter security protocols.

Start by running an internal IT security audit, and an IT risk assessment. Taking these steps will bring to light current risks to data as well as potential means of mitigating and preventing data leaks. During your audit, you will want to do things like change passwords, find out who has access to what, and restrict/revoke access where necessary.

 

Need Help With Your Cybersecurity Program?

Accurately measure risk & automate compliance with Rivial Security.

 

Additionally, you should make it clear to personnel that data breaches and incidents that can result in HIPAA violations will not be tolerated. Inform your personnel that violations can result in suspension and/or termination, and make sure that any third-party vendors are aware of your strict security protocols as well.

 

What To Do Next

Even when companies like yours are diligently working to ensure data breaches won’t be an issue, they can still happen. That is why the best method for how to handle HIPAA violations is to actively seek out the means of preventing them from occurring in the first place. 

For assistance determining where your vulnerabilities are or patching data leaks, contact Rivial Security today.

 

Need Help With Your Cybersecurity Program?

Accurately measure risk & automate compliance with Rivial Security.