HIPAA Policy

HIPAA Violation and Response

 

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

The following are the various levels of HIPAA violations, the actions which should be taken to correct the violation, and the penalties associated with the violation. Category 1 is the lowest level / most minor violations. Category 4 is the highest level / most severe violations. HIPAA violations which are not specifically covered in following categories will be evaluated case by case. 

 

Category 1: A violation that the Covered Entities was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules 

 

Scenario: An approved ATBS computer, phone, or tablet containing electric PHI is hacked, lost, or stolen (with password, antivirus, encryption, VPN, and remote wiping software installed). 

Response: See below for more information. In all cases, contact the director immediately. 

If the device is suspected of being hacked, immediate actions must be taken to disconnect the device from any network including the internet (place the device in airplane mode), and secure any accessible PHI via the installed encryption software before attempting to fix the vulnerability.  If a virus is detected on the device, immediate actions must be taken to disconnect the device from any network including the internet (place the device in airplane mode), and secure any accessible PHI via the installed encryption software before attempting to remove the virus. If the virus infected PHI, the infected file(s) must be immediate quarantined and cleaned if possible. If it is not possible to clean the infected file(s), the file(s) must be securely erased using the installed file wiping/shredding software. If the virus infected non-PHI files, attempts must be made to quarantine and clean the infected files. If the infected non-PHI files are unable to be clean or removed, all information on the device must be erased. 

If the device was lost or stolen, immediate actions must be taken to remotely erase all information on the device and all account passwords, including online and offline achieved backups, with access to PHI must have their passwords changed immediately. 

Scenario: Paper work containing PHI is lost or stolen due to break in or natural disaster (vehicle or place of residence). 

Response: Contact the director as soon as possible. 

Scenario: PHI is unintentionally sent from an approved ATBS equipment to an unapproved ATBS remote storage location (iCloud, One Drive, etc.). 

Response: Contact the director and delete the all files containing PHI from the unapproved remote storage location immediately. Insure the device’s settings are setup to prevent future PHI will not be sent to the unapproved remote storage location. 

Scenario: Needing to filling out PHI in the public setting. 

Response: Use the very minimum level of PHI. Do not include the client’s name, your session times, or details about the treatment or session. Fill in the remaining information, as soon as you are in a private setting. 

 

Failure to act accordingly with the category 1 violations will result in penalties which include: 

One (1) verbal warning per occurrence with no more than two (2) every twelve (12) months 

Repeated offences (across or with categories) are classified as a category 4 violation and are subject to the associated penalties. 


 

Category 2: A violation that the Covered Entities should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules) 

 

Scenario: Client, client’s families, coworkers, friends, spouse, or other family members gained access contact list, calendar, email, and other software or apps containing electric PHI on computer, phone, or tablet when password, antivirus, and encryption software installed. 

Response: Contact the director immediately. Secure device containing electric PHI. Immediately change the passwords to the accounts, including online and offline accounts, with access to PHI. 

Scenario: Unintentionally sent PHI from an approved ATBS device via text or email to the incorrect number or address. 

Response: Contact the director immediately. 

Scenario: Unintentionally discussing (verbal, written, or electronic communication) PHI with other clients, other families, coworkers (not of the case), friends, spouse, or other family members. 

Response: Stop immediately and contact the director immediately. If the person persists, remind them PHI regarding other clients cannot be discussed even with names and specific details omitted. If the parents of the client would like to set up a social event or play date with other clients, they must do so directly with the other clients. 

Scenario: You are seen in public by a client while with your family or while with another client. 

Response: Avoid using names (introduced as “a client”), specific diagnosis, treatment information, and session information. Contact the director as soon as possible. 

Scenario: PHI is unintentionally taken from the client’s house 

Response: The PHI should be returned immediately to the client’s house. If unable to return it immediately, PHI should be secured in a locked binder or box, in your place of residence. Do not leave in it your car or anywhere it is easily accessible. Return the PHI to the client’s home as soon as possible. 

Scenario: Materials which include PHI need to be transported to a different location. 

Response: The materials containing PHI should be transported to the new location as quickly as possible. They should be transported in a locked container which is not able to be seen through. The container must remain out of sight from public view during transport. The container and the materials containing PHI within the container, must not be left unattended in your vehicle for any amount of time. If the transportation of materials containing PHI is discontinuous (breaks/stops between the place of departure and the place of intended arrival), the container and the materials containing PHI within the container, must be placed in a secure location in your place of residence until transportation of the materials is continued. 

Scenario: Unintentionally modifying the settings of approved ATBS equipment (including computers, phones, and tablets) containing PHI which would leave the device vulnerable to a HIPAA security breach. This includes but not limited to changing settings involving passwords, antivirus, encryption, VPN, data remote storage location, and/or remote wiping software. 

Response: Immediately contact the director and change the setting(s) back to what they were before the modifiation. 

 

Failure to act accordingly with the category 2 violations will result in penalties which include 

One (1) verbal warning per occurrence with no more than four (4) every twelve (12) months. 

Repeated offences (across or with categories) are classified as a category 4 violation and are subject to the associated penalties. 


 

Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation 

This category includes major and intentional violations of HIPAA Guidelines. “Responses” are not provided due to the nature of the violations. These violations should be avoided at all costs. If a violation should occur, contact the director and correct the violation immediately. Contact the director immediately if you suspect someone is in violation of the following: 

Intentionally discussing (verbal, written, or electronic communication) PHI with other clients, other families, coworkers (not on the case), friends, spouse, or other family members.
Leaving client information visible or unsecure in a public setting.
Removing client information (written or electronic) from the client’s home without prior permission from the director and the client’s guardians. 

Modifying approved ATBS equipment (including computers, phones, and tablets) containing PHI, including but not limited to deactivating passwords, uninstalling or disabling antivirus, encryption, VPN, and/or remote wiping software. 

Intentionally modifying the settings of approved ATBS equipment (including computers, phones, and tablets) containing PHI which would leave the device vulnerable to a HIPAA security breach. This includes but is not limited to changing settings involving passwords, antivirus, encryption, VPN, data remote storage location, and/or remote wiping software. 

Store or send PHI on a personal phone or tablet. 

Sending electronic PHI via an unsecure methods (not by approved email address/server) 

Having someone other than the client’s guardian sign treatment documents 

Whiting out, blacking out, or otherwise concealing client information 

Denying the legal guardian of the client, access to the client’s binder, data sheets, behavior plan, or other PHI 

 

Category 3 violations will result in following penalties: 

Employee is suspended until an investigation can be completed to determine the degree of the violation 

No more than two (2) violations in twelve (12) months. 

Repeated offences (across or with categories) are classified as a category 4 violation and are subject to the associated penalties. 


 

Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation 

This category includes major and intentional violations of HIPAA Guidelines. “Responses” are not provide due to the nature of the violations. These violations are the same as in category 3 and should be avoided at all cost. If a violation should occur, contact the director and correct the violation immediately. Contact the director immediately if you suspect someone is in violation of the guidelines discussed in category 3 and have failed to make the appointed corrections. 

Failure to make the appointed corrections of ANY of the previous categories results in a Category 4 violation, which includes in following penalties: 

Employee is suspended until an investigation can be completed to determine the degree of the violation 

Termination of employment.


 

If You Suspect or See a HIPAA Violation:

 

All violations must be reported in writing to the Privacy Officer or Clinical Director. 

  1. Fill out the HIPAA Violation Form. Form can be found at HIPAA or Privacy Concerns and Violations

  2. Once completed, put the form in the file labeled “HIPAA Violation Documentation."

 

Privacy Officer will:

  1. Review the documentation you submitted within 24 hours (business days only)

  2. Investigate the issue

  3. Document any corrective action that needs to be taken

  4. Document how the issue was corrected

  5. Take action and document as needed to ensure the mistake does not occur again