By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CDH-L, CRIS, CC
Director of Compliance and Government Affairs
Verisma
February 8, 2025
Unfortunately, unauthorized disclosures (UAD) are a reality for today’s healthcare organizations. We’ve all been there – a staff member accidentally mistypes a fax number, or a patient ends up with one page of another patient’s protected health information (PHI) in their mailed medical records. What happens next determines if you have a Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reportable breach on your hands. When notified that PHI may not have been delivered as directed, your compliance team needs to spring into action to mitigate any risk to PHI.
Don’t have a compliance team? Not sure what steps and procedures define your processes for HIPAA unauthorized disclosures? Read on for recommendations and best practices for mitigating compliance risk.
Develop Investigation Protocol
When you are aware of a possible UAD, mitigate the possible risk as quickly as possible. Because we oversee hundreds of millions of record requests annually, our volume is substantially higher than most – and we have a designated Compliance Officer and support team. Therefore, we have developed our UAD Investigation Protocol based on years of experience and countless processed records.
The moment a release of information specialist (ROIS) is aware of a possible incident, he or she has a short amount of time to initiate an incident report and submit it to the Compliance team. In many organizations, employees fear admitting mistakes. Creating a culture of compliance includes reassuring your team, “to err is human and to report is divine.” If your staff isn’t reporting errors to you, it is not because they are not making them, they are not admitting it. Not knowing about an incident is far worse for your organization than being aware and taking measures to mitigate the damage of compromised PHI.
When an incident occurs, we rely on our team to notify us immediately. The Compliance team then begins working the risk assessment right away to research how the situation occurred. It is important to quickly contact the unauthorized recipient and collaborate with them to securely destroy, or return, the PHI. Additionally, to assert a low probability of PHI compromise or harm, a confidentiality statement must be obtained from the unauthorized recipient, outlining the secure destruction and assuring no further disclosure of the information occurs.
It is critical that you take steps to mitigate the possibilities of future UADs. Supervisors need to re-train the ROIS on best practices and auditing procedures based upon the mistake the ROIS made. If an ROIS working at a front desk were to hand one patient another patient’s medical records, you would want to spend time discussing best practices about double checking discharge paperwork off the printer before handed over the counter.
After re-training, the Compliance Officer completes the risk assessment. On the Health Insurance Portability and Accountability Act (HIPAA) Risk Assessment, the Compliance Officer reports whether the PHI has been acquired or viewed, and determines the extent of PHI risk, following federal HIPAA guidelines and state laws. After you are aware there is a possible breach, you have 60 days to complete your investigation, unless your state requires a shorter amount of time.
Violation vs. Breach
UADs typically fall into two categories, violation or breach.
A violation is a UAD with low probability of PHI compromise. If low risk is determined and supported by the assessment, reporting the incident to the OCR and patient is not necessary. For instance, if unauthorized PHI is disclosed to a covered entity, they have a legal responsibility to protect that information. Once the covered entity has destroyed the PHI, there is a low probability of compromise and it is classified as a violation.
If there isn’t low probability of PHI compromise, the UAD is a breach. For example, if you are not able to obtain a confidentiality statement from an unauthorized recipient, there is not a proven low probability of compromise. The breach needs to be reported to the OCR and the patient must be notified, explaining how their PHI was compromised.
According to the OCR, between 2019-2023 there was a substantial 89 percent increase in hacking and a massive 102 percent increase in ransomware. Realizing the agency can issue up to a $50,000 fine per incident with an annual cap of $1.5 million is how healthcare nightmares are made.
ROI Partner
Healthcare providers often face the challenge of managing a high volume of medical record requests, which can be time-consuming and prone to manual errors. Collaborating with a trusted ROI partner transfers the workload to a team of specialists who are dedicated to handling these requests accurately, securely and efficiently – freeing up valuable time for your staff to focus on patient satisfaction.
Verisma’s team of healthcare data experts is equipped to simplify workflows with advanced technology to manage the complexities of HIPAA compliance and mitigate risks associated with UADs. We understand the importance of policies and procedures and have processes in place to protect PHI. Our compliance team can quickly assess the situation, contact unauthorized recipients, and take necessary steps to secure the information.
Ready to reduce workloads and improve patient experience? Contact us today to discuss how we can help.