HIPAA Breach: Who You Gonna Call?

Everyone knows that you call a plumber for a leaking pipe, a mason for a cracked stonewall, and an electrician to fix faulty wiring. However, when faced with an actual or suspected HIPAA data breach, many folks struggle with determining whom to call. Failure to have contacts lined up ahead of time may pose more than an inconvenience–any delay in bringing in experienced advisors to assist with breach investigation, response and mitigation may result in significant financial and legal consequences.

HIPAA covered entities and business associates should have a written breach response policy and protocol. The policy and protocol should provide clear guidance to the covered entity’s or business associate’s staff regarding how to respond to an actual or suspected breach. Among other things, the policy and protocol should include a roster of resources staff persons may rely upon, including legal counsel, forensic and IT consultants, public relations/marketing professionals, and human resources advisors. Given the necessity of responding to a breach promptly, covered entities and business associates should not wait for a breach to occur in order to start assembling a team.

In light of the risk of lawsuits or government enforcement, the first call to make should be to an attorney experienced in data privacy matters. The value in contacting an experienced attorney, aside from expertise in the legal requirements imposed by HIPAA and other state and federal laws that may apply, is that bringing in an attorney at the start may allow the covered entity or business associate to protect the subsequent breach investigation and response under attorney-client privilege. By doing so, the covered entity or business associate may be able to protect the confidentiality of damaging facts (such as investigatory reports citing failures in the covered entity’s or business associate’s privacy safeguards) from plaintiff’s counsel seeking to sue for damages. While there is no guarantee that asserting attorney-client privilege will be successful in all instances, having an attorney involved and directing the investigation from the start is often the only chance a covered entity or business associate has at protecting damaging information from litigants and the public.

Aside from legal counsel, covered entities and business associates should have a list of trusted forensic and IT consultants. When electronic protected health information (ePHI) is involved, consultants experienced in HIPAA matters are necessary. They may be needed to investigate a hack or ransom-ware attack; audit the online activities of a rogue employee; report on what information may have been on a lost or stolen mobile device; or recover data from a damaged hard drive.

Data breaches often result in considerable media attention, particularly when notice to the media is required. Protection of an entity’s reputation is crucial to retain customer and public trust and the service of a media relations professional is often invaluable. If employees are involved in the breach, seek advice from an HR professional prior to conducting employee interviews, sanctions or termination – particularly if a unionized workforce is involved.

A HIPAA breach is like a fire drill – you need to respond quickly and cannot ignore the warnings. Having the right team in place ahead of time will ensure a timely, appropriate and cost-effective response to the breach.

18 comments on “HIPAA Breach: Who You Gonna Call?”

  1. I’ve been put on Administrative Leave for ?? 2 HIPPA violations. The first is giving an OB pt from the ER a profile picture of her fetus. The second was a de-identified imaged of a ? Placenta Accreta texted to a OB specialist I know asking her opinion. I did this because the Radiologist called it negative & with it being a critical finding, I felt I needed to be certain before calling the patient’s MD. The images/ texts were deleted from mine & her phone immediately.

  2. ive been trying to finding my 14month old grandson who was taken from his mother who may have mental issuse. I was told because of HIPPA THEY CAN NOT

    1. My son is 30 years old and have a mental disorderand lives 800 miles from me in a independent home, he comes and goes as he pleases..The lady that runs the home called me and said that he been missing for three days. Icalled all the hospitals in the area because of hipaa they could not give me any info.Not even a yes or no!!…This Bull$#@ law. Should be revised for people like us…..Written by Lawers to enrich themself$.

  3. to whom this may concern I’m seeking information I was in a car accident to make a long story short I settled with my attorney with insurance company of the person that hit me my attorney stated that we could get an additional $20,000 from my insurance company in return there was an inquisition where my attorney and my insurance had a meeting and everything was put on voice recording and they had a stenographer there I sign legal documentation that stated that they could ascertain my records I only agreed to three years worth of my records that was the specific that I laid out before my attorney and to the insurance company I was adamant there was no misunderstandings Sonos I could miss understand what my wishes were my wishes were only 3 years worth of my medical records were allowed to be gotten come to find out my auto insurance company instead of acquiring three years worth of medical records ascertained 22 extra years worth of my medical records with a total of 25 years worth of my records I only gave permission for 3 years of my records they had 22 more years of my records information I did not wish for them to be public or for them to have which had nothing to do with my auto accident absolutely not but my medical records are my private history I feel like I was invited I feel like I was emotionally and mentally raped over information that they had no business to look over my private life what do I do

  4. I was pullling my medical records online. Low and behold, I have someone elses records. An honest mistake I’m sure. Do I file a complaint or just call the office?


    1. In advertent disclosure is not a HIPAA violation; there must be some intent to access or disclose e/PHI for it to be a violation/breach. Nonetheless, you must document the incident to meet the HIPAA requirement and protect yourself.

  5. Im working as a CNA in Windsor Garden of Longbeach. Then I got a problem going back to work because im hearing voices, then i went to a psychiatrist to be treated and have a work release form. But then they copied my entire medical record i felt ive been discriminated too, and they violate my rights. Now ive been seeking for a help. Hoping this time someone would hear me. My name is Glady Lowe.

    1. If you have a concern about your privacy rights, I suggest you contact your state Attorney General for assistance or the United States Department of Health and Human Services Office for Civil Rights.

    2. Hi my name is Iris I am a employee at Windsor Gardens of Long Beach on Artesia Blvd. Since you feel discriminated I also feel this way can you plz provide me with what can I do against my facility or any one so I can take action. (323)504-5829 it’s very urgent as a CNA IT’S VERY DIFFICULT TO WORK WITH COMPANIES THAT DON’T CARE FOR THEIR EMPLOYEES HOW CAN A FACILITY BE A PLACE TO HAVE PATIENTS WERE THEY COUNT AS MUCH AS WE DO. PLZ I CAN’T TAKE THIS ANY MORE I NEED TO SPEAK UP I NEED A LAW FIRM NOW I AM A SINGLE MOM OF 3 I DONT HAVE A LOT OF CASH BUT I BELT HERE’S SOMEONE OUT THERE THAT MIGHT WANT TO TAKE MY CASE THIS UNFAIRNESS un justice SITUATION CAN’T CONTINUE AGAINST US CNA’S

  6. What do you do if someone calls your doctor and tells them false things about you and it changes your treetment,plus if a nurse lets someone in and they question you on personal things in your life in recovery?

  7. What if an employee purposely hides patient test results, then puts a patients test results in the shred instead of scanning them into their patient record 2 months earlier?

  8. The OCR HHS DMHC knew about everything yet did nothing until I posted the 3 doctors. Problem here the OCR HHS DMHC can’t open this case ever again its in their laws & policies so I sat for an appointment Kaiser canceled to cover up several Hipaa breach violations. Paid another members co-pay got another members receipt asked for mine it was a reprint. There are 35 numbers from mine to the other member. I had 3 doctor appointments 3 different doctors 3 different places ALL AT THE SAME TIME & DAY. These receipts you are given have your name your doctor your medical record number & your medical history on them. On January 16, 2015 I found out why I didn’t get to see the doctor my appointment was canceled Kaiser made me sit 55 minutes to see a doctor who wasn’t there. When I went into my online Kaiser Member account to look at the Hipaa Breach Violations I filed on 1-19-2012 the whole month of January 2012 & February 2012 were GONE DELETED BY KAISER THE OCR HHS & DMHC. Now I get this letter from Kaiser’s Compliance & Privacy Office on December 4, 2015 telling me they can come to my house to pick up the other Kaiser members receipt I was registered under I don’t have this receipt that Kaiser members copay was $45.00 my copay is $40.00 the receipt of the Kaiser member I was given their copay is $20.00. What is even worse is someone has tried to get services on my medical card filed taxes on my social security number basically have stolen my identity & all Kaiser & the OCR HHS DMHC care about is themselves they don’t give a “Rats Behind” they just want to cover their tracks even if it means breaking laws & violating peoples civil rights to do it.

  9. Re: Who you gonna’ call?

    Odd that this article says absolutely nothing about actually reporting a breach to the OCR. How and when you report HIPAA breaches can easily determine the severity of the fines and strictures you may be placed under by the OCR. Any employee disciplinary actions must (a) be recorded, and (b) follow pre-established policy. For any quantity of breached patient records, you must presume it is a major breach (>499 records) and work back to determine the exact number and whether it was a security incident (no significant loss, or violation) or if it was a serious violation.

    If it involves a virus or malware (ransomware, esp.), consider it to be a major violation and (a) take action to prevent any further compromise, (b) document completely, (c) involve security experts as quickly as possible, and as appropriate, and (d) report it into the OCR portal as quickly as possible. Taking the allowed 60 days to report could worsen the situation, so move to report as quickly as possible. Your records should be in digital form in order to be able to report into the portal; it is questionable if the OCR will accept any hard-copy or written docs. In all likelihood, they will NOT accept any phone calls.

    HIPAA compliance is regulatory, not prosecutorial. The OCR is enforcing regulations, not prosecuting violations of the law per se. It is more akin to OHSA enforcing work regulations & safeguards, the Public Health Dept., or the EPA enforcing pollution regulations. That means you have no legal recourse. You have no right to legal representation, court trial, rules of evidence, appeal, probable cause or even presumption of innocence. The OCR can appear at your business or practice and demand to see your records. They do not require a warrant or probable cause. You have no recourse; you cannot say, “Wait until I call my lawyer”, you must comply. Your ability to even negotiate the amount of the fine, or any subsequent business restrictions is very, very limited.

    So, having a plan … and the necessary policy and ability to document any breach and any counter-actions you take can be critical in avoiding serious fines (they start at $50,000 per incident, and many, many worse fines have been assessed for seemingly minor breaches). An attorney is only part of the solution. In order to be prepared (do you know when you’ll have a breach? … not likely), you should have six years of risk assessments online, all your BA agreements (if you don’t know what ‘BA’ means, you’re probably in serious non-compliance) available online, how you assessed THEIR HIPAA compliance, and all your staff HIPAA attestations, again, online. Those constitute a critical MINIMUM plan. Less than that, and you’d better get someone to help you get HIPAA compliant ASAP.

    I am not an attorney, nor am I offering legal advice. This information is offered for educational purposes and is based on open publications and informed professional expertise.


  11. I have been a victim of a HIPPA violation, which could effect me tremendously, both personally and financially. A hospital staff member shared my medical diagnosis with their friend, who is a mutual friend of mine. This friend then asked me about my condition, naming it specifically, and the struggles I was having because of my condition. My condition has not been shared with anyone but my doctor and my spouse. This has a great financial and personal impact on me as I am in the process of training for a specific license, I have spent over $ 80,000.00 purchasing equipment and training for this license. Because of the law changing, within months my medical condition will not impact my licensing, but as of now it does, so this violation has not only embarrassed me, with the inquiry of my health by others, but it has impacted me financially and personally. What can I do to make sure this violation is reported, person is held accountable and I can recover the thousands of dollars I have lost because of this violation?

  12. My private health and safety was breached when Hillary Clinton had a private email server in her basement that was not Hipaa compliant.
    Hillary Clinton of all people should be aware of the Hipaa rules and regulations, because it was her husband, Bill Clinton, whom signed the Hipaa bill into law, as his last signature as President of the United States of America, immediately before he was impeached by the House of Representatives on December 19, 1998.

Leave a Reply

Your email address will not be published. Required fields are marked *