• Site Map
• Contact
• Help

• Login
• Residents
• About Us
• Career Center
• Patient Info
• Media Room
• My Profile
• Jobs at ACR

Useful Links

Risks and Responsibilities Under HIPAA After an Impermissible Disclosure Occurs

By Jill E. Arent, Esq, Reed Smith, LLP. 

Since passage of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, §§ 261-264 (August 21, 1996) (HIPAA), the requirements that health care organizations face regarding the protection of personal health information have steadily increased. As a result, covered entities governed by HIPAA have been faced with a barrage of new requirements for handling patient information. Those requirements have been spelled out in great detail, and enforcement officials have emphasized the existence of civil monetary penalties for wrongful disclosures made knowingly or for malicious or commercially advantageous reasons. Less attention has been targeted at the actions that covered entities should take upon their realization that protected health information (PHI) has been otherwise impermissibly disclosed, although such disclosures are much more likely to occur and also constitute a violation of HIPAA.

Obligations After Impermissible Disclosures

Regulatory requirements implementing HIPAA's security and privacy standards (45 CFR § 164.308, § 164.530) make clear that covered entities have an affirmative duty to identify and respond to any "security incident," including an impermissible disclosure, that is known or suspected. The identification requirement includes a duty to document the details of the incident and to retain that documentation for 6 years. The response requirement mandates the application of sanctions against any employees or other members of the covered entity's workforce who violate the organization's internal policies and procedures regarding disclosures.

The same regulatory provisions specify that covered entities also have a mitigation obligation upon the improper disclosure of PHI. That is, to the extent practical, they must do what they can to lessen the harmful effects of any security incident that is known to them and that is in violation of either their policies and procedures or the regulatory requirements of HIPAA more generally. It is important to note that this obligation includes wrongful disclosures by both covered entities and their business associates.

Individuals have a right to adequate notice regarding the uses and disclosures of their PHI under HIPAA's privacy standards (45 CFR § 164.528). This notice is provided in the form of a written accounting, which may be requested by any individual. Most disclosures made in the ordinary course of a covered entity's business are exempt from the accounting requirement, but impermissible disclosures would have to be included. The accounting must be provided within 30 days of the request (unless a written request for an extension is sent to the individual) and must describe disclosures and the circumstances surrounding them for 6 years prior to the request. All accountings must be documented by the covered entity for its own records.

Additional Obligations Relating to Business Associate Disclosures

Covered entities also face obligations with respect to the impermissible disclosures of their business associates. The Department of Health and Human Services (HHS), in both the privacy regulations themselves and in subregulatory guidance, clearly states that if a covered entity knows that a business associate has committed a material breach or violation of the terms of its agreement by impermissibly disclosing PHI, the covered entity must take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, the covered entity must terminate its agreement with the business associate; if termination is not feasible, the covered entity must inform the secretary of HHS. Failure to do so is a violation of HIPAA and may subject the covered entity to penalties.

Covered entities are not required to actively monitor the actions of business associates, nor are they responsible or liable for the actions of business associates. Covered entity liability is limited to instances where the covered entity knows of a pattern of activity or practice constituting a material breach or violation of the obligations of the business associate. To ensure that the covered entity is made aware of impermissible disclosures by the business associate, the privacy rules require business associates to report to the covered entity any improper use or disclosure of PHI of which the business associate "becomes aware" (45 CFR § 164.504). This reporting requirement must be explicitly contained in the agreement; it is necessary to facilitate the accounting responsibilities facing covered entities. The covered entity is not required to make an accounting of exempt uses or purposes by the business associate, but any accounting must include impermissible disclosures. This obligation extends only as far as disclosures by the business associate itself, however, and not to any subsequent disclosures by others receiving information from the business associate.

What Covered Entities Can Do...

Given the responsibilities facing covered entities, it is not surprising that many organizations feel overwhelmed and uncertain as to the processes they should implement to respond to impermissible disclosures. The overriding principle that has shaped these requirements is that the individual has a right to know who has access to PHI and for what purpose. With this in mind, there are a couple of important issues that covered entities should remember when developing internal policies and proceeding under them.

First, covered entities are not required to notify individuals of every impermissible disclosure, although they are required to provide information about them if an accounting is requested. As a result, covered entities should, to the extent possible, assemble the information required under the accounting provision every time they identify an impermissible disclosure to ensure that they are prepared to respond to accounting requests that may arise. The final privacy rules are clear that the purpose of the accounting process is to inform the individual about any nonroutine use or disclosure of PHI. Comprehensive and consistent documentation policies will facilitate this.

Second, because of the mitigation requirement, covered entities should also monitor the handling of PHI both internally and with respect to their business associates to ensure that the regulatory requirements and the covered entity's internal policies and procedures are being followed. To facilitate this, the covered entity may want to conduct ongoing training on the details of these policies for business associate staff, to prevent confusion and facilitate compliance.

Third, covered entities should identify a single party—likely, the privacy officer that is required under HIPAA—to whom impermissible disclosures must be reported. In addition to helping assure that necessary documentation of such disclosures is made, this will allow the organization to identify and target for correction any problematic information-handling procedures.

Many covered entities will be confronted by an impermissible disclosure at some point. If the organization has given forethought to the development of sound reporting and documentation processes, mitigating and managing such a disclosure should not present a serious difficulty. In the absence of clear processes, there is the potential for dissatisfaction from both the individual whose PHI was disclosed and enforcement authorities. Given the potential penalties and negative attention that such dissatisfaction could cause, this is an area where an ounce of prevention will be worth far more than a pound of cure.

"Reprinted with permission of Reed Smith LLP.  For questions, contact Katherine Keefe at (215) 851-8863 or kkeefe@reedsmith.com." Visit www.reedsmith.com