If you, as a behavioral health professional, violate the Health Insurance Portability and Accountability Act (HIPAA), you must follow certain obligations and procedures to rectify the situation. Although the broader topic is covered in several previous Telehealth.org articles, many of our CME & CE course participants have requested more detail. Below then, is a suggested list of steps for a practitioner who wonders, “What Happens if you violate HIPAA?” This information is supplied with strong encouragement to seek advice from a qualified attorney before taking any action.
Suggested considerations include the following:
- Report the Breach of HIPAA Privacy. When you realize a privacy violation has occurred, it’s your responsibility to report it to the appropriate individuals within your organization, typically a privacy officer or an administrative head. Prompt reporting of any breaches is a crucial part of HIPAA compliance as it initiates the internal process of investigation and mitigation. If you are an independent practitioner, you are advised to seek the immediate help of an attorney. You might want to start with your malpractice carrier and the attorney that assists members of any association to which you belong. You will have 60 days to submit your report
- Conduct an Investigation. Following the breach report, you or your organization must conduct a thorough investigation. This investigation should be documented that confirms whether a breach occurred, the circumstances surrounding it, and the type of information that was disclosed
- Breach Notification. Under the HIPAA Breach Notification Rule, you are required to inform affected individuals if there’s been a breach of unsecured protected health information (PHI). This notification must be made without unreasonable delay. It should detail the nature of the breach, the types of information involved, steps individuals should take to protect themselves, what you are doing to investigate the breach, mitigate harm, and prevent future breaches, along with contact information for further inquiries or information. This is the first important juncture and one which is best only done with the advice of your attorney
- Documentation. You must document all actions and steps taken following a breach. This includes the breach report, investigation findings, details of the notifications sent to patients, and a description of the efforts made to mitigate harm and prevent future violations. Such documentation is vital for legal and regulatory purposes, demonstrating that you have responded appropriately
- Mitigation. If you have violated a client’s privacy, HIPAA requires that you attempt to mitigate or lessen any harmful effects resulting from the disclosure of PHI. This might involve working directly with the client to minimize potential harm, such as identity theft, resulting from the privacy breach. Some companies buy access for the individual to access their credit reports for a specified period of time. Again, your attorney will help you determine what best meets your needs
- Corrective Actions. Once you’ve dealt with the immediate aftermath of a breach, you and your organization need to review your procedures and the circumstances that led to the violation. You may need to implement corrective actions to prevent future breaches, such as retraining staff, revising privacy policies or procedures, or enhancing security measures. These corrective actions should be well documented
- Government Notification. Next, you should inform the Secretary of Health and Human Services (HHS) about the breach. Large-scale breaches of PHI, involving the information of 500 or more individuals, must be reported to the Secretary. Even smaller breaches should be documented in a log or another format and submitted to HHS annually
- What Happens If You Violate HIPAA. The HHS Office for Civil Rights (OCR) will conduct an investigation, then issues a letter describing the resolution of the investigation. If OCR determines that you have not complied with the HIPAA Rules, you must:
- Voluntarily comply with the HIPAA Rules
- Take corrective action
- Agree to a settlement
- If you do not take satisfactory action, OCR may impose civil money penalties (CMPs). You then may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case. See HHS.gov for details
- Last but not least, if your breach involves more than 500 people, your company name and details of the breach may be posted on the HIPAA Breach Reporting Tool, otherwise known as the HIPAA Wall of Shame.
Violations can lead to severe consequences, including civil and criminal penalties, ranging from hefty fines to imprisonment. The severity of penalties varies depending on the nature and extent of the violation and whether it was done knowingly or unknowingly. Therefore, it’s essential to strictly adhere to HIPAA regulations and promptly address breaches with the aid of a qualified attorney.
HIPAA Notification Specifics
In the event of a privacy breach under the Health Insurance Portability and Accountability Act (HIPAA), you or your behavioral organization may want to consider any one or all of the following general steps:
- Initial Notification: Draft a written notification, usually via first-class mail. An email notification can be suitable if the client agreed to electronic communication. Keep your language clear and concise.
- Content of Notification: Your notification may include the following:
- A brief description of the event, the date of the breach, and the date of discovery (if known).
- The type of unsecured protected health information (PHI) involved in the breach.
- Suggested steps the client can take to protect themselves from potential harm.
- A brief summary of your actions to investigate the breach, mitigate harm, and protect against further breaches.
- Contact procedures for the client to ask questions or learn more.
- Substitute Notice: If you lack current contact information for ten or more clients, provide a substitute notice on your website or through public media
- Media Notification: If the breach affects more than 500 residents in a state or jurisdiction, you must notify prominent media outlets
- Notice to the Secretary of Health and Human Services: Report the breach to the Secretary of HHS. If the breach involves fewer than 500 individuals, notify in an annual log. If the breach involves 500 or more individuals, notify the Secretary without delay
- Client Support: Keep your client informed and provide as much support and guidance as possible to help them manage the situation and minimize potential harm resulting from the breach.
When working in any healthcare practice, this entire process should be managed with sensitivity and professionalism. It’s critical to keep the client informed and provide as much support and guidance as possible to help them deal with the situation and reduce potential harm from the breach.
Other Resources to Help Clarify What Happens if You Violate HIPAA
The following resources may also be useful to you:
- You may want to obtain as much information as possible information from HHS.gov directly.
- The American Medical Association also provides useful general information and about HIPAA violations and enforcement.
- The American Psychological Association addresses the issues above but also provides answers to other questions, such as “What If the Breach Involves the PHI of Minors, Incapacitated Patients, and Deceased Patients?” and “Can You Also Contact Patients by Phone If There Is an Imminent Risk That Their PHI Will Be Misused?”
- Your attorney will ensure that you are navigating the situation correctly, minimizing risk, and adhering to all necessary regulations. To find such an attorney, contact the Center for Connected Health Policy.
If you are concerned about what happens if you violate HIPAA, immediately seek legal counsel.
Be aware that failing to respond to HIPAA can lead to undesirable consequences, as recently reported in a case involving an LPC who failed to respond to HIPAA inquiries about a different HIPAA scenario that involved the Right of Access. Following the advice of an attorney will help protect your rights and those of your clients.
PLEASE NOTE: These issues are complex and highly fact-specific and require legal expertise that cannot be provided here. Telehealth.org cannot and does not offer legal advice. The information above is summarized as community service for informational purposes only. It should not be used as a substitute for obtaining personal legal advice and consultation prior to making decisions about your individual circumstances.
Telehealth Law & Ethical Course Bundle
This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.