HIPAA Breach: Who You Gonna Call?

Everyone knows that you call a plumber for a leaking pipe, a mason for a cracked stonewall, and an electrician to fix faulty wiring. However, when faced with an actual or suspected HIPAA data breach, many folks struggle with determining whom to call. Failure to have contacts lined up ahead of time may pose more than an inconvenience–any delay in bringing in experienced advisors to assist with breach investigation, response and mitigation may result in significant financial and legal consequences.

HIPAA covered entities and business associates should have a written breach response policy and protocol. The policy and protocol should provide clear guidance to the covered entity’s or business associate’s staff regarding how to respond to an actual or suspected breach. Among other things, the policy and protocol should include a roster of resources staff persons may rely upon, including legal counsel, forensic and IT consultants, public relations/marketing professionals, and human resources advisors. Given the necessity of responding to a breach promptly, covered entities and business associates should not wait for a breach to occur in order to start assembling a team.

In light of the risk of lawsuits or government enforcement, the first call to make should be to an attorney experienced in data privacy matters. The value in contacting an experienced attorney, aside from expertise in the legal requirements imposed by HIPAA and other state and federal laws that may apply, is that bringing in an attorney at the start may allow the covered entity or business associate to protect the subsequent breach investigation and response under attorney-client privilege. By doing so, the covered entity or business associate may be able to protect the confidentiality of damaging facts (such as investigatory reports citing failures in the covered entity’s or business associate’s privacy safeguards) from plaintiff’s counsel seeking to sue for damages. While there is no guarantee that asserting attorney-client privilege will be successful in all instances, having an attorney involved and directing the investigation from the start is often the only chance a covered entity or business associate has at protecting damaging information from litigants and the public.

Aside from legal counsel, covered entities and business associates should have a list of trusted forensic and IT consultants. When electronic protected health information (ePHI) is involved, consultants experienced in HIPAA matters are necessary. They may be needed to investigate a hack or ransom-ware attack; audit the online activities of a rogue employee; report on what information may have been on a lost or stolen mobile device; or recover data from a damaged hard drive.

Data breaches often result in considerable media attention, particularly when notice to the media is required. Protection of an entity’s reputation is crucial to retain customer and public trust and the service of a media relations professional is often invaluable. If employees are involved in the breach, seek advice from an HR professional prior to conducting employee interviews, sanctions or termination – particularly if a unionized workforce is involved.

A HIPAA breach is like a fire drill – you need to respond quickly and cannot ignore the warnings. Having the right team in place ahead of time will ensure a timely, appropriate and cost-effective response to the breach.

34 comments on “HIPAA Breach: Who You Gonna Call?”

  1. I’ve been put on Administrative Leave for ?? 2 HIPPA violations. The first is giving an OB pt from the ER a profile picture of her fetus. The second was a de-identified imaged of a ? Placenta Accreta texted to a OB specialist I know asking her opinion. I did this because the Radiologist called it negative & with it being a critical finding, I felt I needed to be certain before calling the patient’s MD. The images/ texts were deleted from mine & her phone immediately.

  2. ive been trying to finding my 14month old grandson who was taken from his mother who may have mental issuse. I was told because of HIPPA THEY CAN NOT

    1. My son is 30 years old and have a mental disorderand lives 800 miles from me in a independent home, he comes and goes as he pleases..The lady that runs the home called me and said that he been missing for three days. Icalled all the hospitals in the area because of hipaa they could not give me any info.Not even a yes or no!!…This Bull$#@ law. Should be revised for people like us…..Written by Lawers to enrich themself$.

  3. to whom this may concern I’m seeking information I was in a car accident to make a long story short I settled with my attorney with insurance company of the person that hit me my attorney stated that we could get an additional $20,000 from my insurance company in return there was an inquisition where my attorney and my insurance had a meeting and everything was put on voice recording and they had a stenographer there I sign legal documentation that stated that they could ascertain my records I only agreed to three years worth of my records that was the specific that I laid out before my attorney and to the insurance company I was adamant there was no misunderstandings Sonos I could miss understand what my wishes were my wishes were only 3 years worth of my medical records were allowed to be gotten come to find out my auto insurance company instead of acquiring three years worth of medical records ascertained 22 extra years worth of my medical records with a total of 25 years worth of my records I only gave permission for 3 years of my records they had 22 more years of my records information I did not wish for them to be public or for them to have which had nothing to do with my auto accident absolutely not but my medical records are my private history I feel like I was invited I feel like I was emotionally and mentally raped over information that they had no business to look over my private life what do I do

  4. I was pullling my medical records online. Low and behold, I have someone elses records. An honest mistake I’m sure. Do I file a complaint or just call the office?


    1. In advertent disclosure is not a HIPAA violation; there must be some intent to access or disclose e/PHI for it to be a violation/breach. Nonetheless, you must document the incident to meet the HIPAA requirement and protect yourself.

  5. Im working as a CNA in Windsor Garden of Longbeach. Then I got a problem going back to work because im hearing voices, then i went to a psychiatrist to be treated and have a work release form. But then they copied my entire medical record i felt ive been discriminated too, and they violate my rights. Now ive been seeking for a help. Hoping this time someone would hear me. My name is Glady Lowe.

    1. If you have a concern about your privacy rights, I suggest you contact your state Attorney General for assistance or the United States Department of Health and Human Services Office for Civil Rights.

      1. Are hotels upon checking in with a service dog permitted to question the role and reason for the dog? Is that not a hipaa.violation?

    2. Hi my name is Iris I am a employee at Windsor Gardens of Long Beach on Artesia Blvd. Since you feel discriminated I also feel this way can you plz provide me with what can I do against my facility or any one so I can take action. (323)504-5829 it’s very urgent as a CNA IT’S VERY DIFFICULT TO WORK WITH COMPANIES THAT DON’T CARE FOR THEIR EMPLOYEES HOW CAN A FACILITY BE A PLACE TO HAVE PATIENTS WERE THEY COUNT AS MUCH AS WE DO. PLZ I CAN’T TAKE THIS ANY MORE I NEED TO SPEAK UP I NEED A LAW FIRM NOW I AM A SINGLE MOM OF 3 I DONT HAVE A LOT OF CASH BUT I BELT HERE’S SOMEONE OUT THERE THAT MIGHT WANT TO TAKE MY CASE THIS UNFAIRNESS un justice SITUATION CAN’T CONTINUE AGAINST US CNA’S

  6. What do you do if someone calls your doctor and tells them false things about you and it changes your treetment,plus if a nurse lets someone in and they question you on personal things in your life in recovery?

  7. What if an employee purposely hides patient test results, then puts a patients test results in the shred instead of scanning them into their patient record 2 months earlier?

  8. The OCR HHS DMHC knew about everything yet did nothing until I posted the 3 doctors. Problem here the OCR HHS DMHC can’t open this case ever again its in their laws & policies so I sat for an appointment Kaiser canceled to cover up several Hipaa breach violations. Paid another members co-pay got another members receipt asked for mine it was a reprint. There are 35 numbers from mine to the other member. I had 3 doctor appointments 3 different doctors 3 different places ALL AT THE SAME TIME & DAY. These receipts you are given have your name your doctor your medical record number & your medical history on them. On January 16, 2015 I found out why I didn’t get to see the doctor my appointment was canceled Kaiser made me sit 55 minutes to see a doctor who wasn’t there. When I went into my online Kaiser Member account to look at the Hipaa Breach Violations I filed on 1-19-2012 the whole month of January 2012 & February 2012 were GONE DELETED BY KAISER THE OCR HHS & DMHC. Now I get this letter from Kaiser’s Compliance & Privacy Office on December 4, 2015 telling me they can come to my house to pick up the other Kaiser members receipt I was registered under I don’t have this receipt that Kaiser members copay was $45.00 my copay is $40.00 the receipt of the Kaiser member I was given their copay is $20.00. What is even worse is someone has tried to get services on my medical card filed taxes on my social security number basically have stolen my identity & all Kaiser & the OCR HHS DMHC care about is themselves they don’t give a “Rats Behind” they just want to cover their tracks even if it means breaking laws & violating peoples civil rights to do it.

  9. Re: Who you gonna’ call?

    Odd that this article says absolutely nothing about actually reporting a breach to the OCR. How and when you report HIPAA breaches can easily determine the severity of the fines and strictures you may be placed under by the OCR. Any employee disciplinary actions must (a) be recorded, and (b) follow pre-established policy. For any quantity of breached patient records, you must presume it is a major breach (>499 records) and work back to determine the exact number and whether it was a security incident (no significant loss, or violation) or if it was a serious violation.

    If it involves a virus or malware (ransomware, esp.), consider it to be a major violation and (a) take action to prevent any further compromise, (b) document completely, (c) involve security experts as quickly as possible, and as appropriate, and (d) report it into the OCR portal as quickly as possible. Taking the allowed 60 days to report could worsen the situation, so move to report as quickly as possible. Your records should be in digital form in order to be able to report into the portal; it is questionable if the OCR will accept any hard-copy or written docs. In all likelihood, they will NOT accept any phone calls.

    HIPAA compliance is regulatory, not prosecutorial. The OCR is enforcing regulations, not prosecuting violations of the law per se. It is more akin to OHSA enforcing work regulations & safeguards, the Public Health Dept., or the EPA enforcing pollution regulations. That means you have no legal recourse. You have no right to legal representation, court trial, rules of evidence, appeal, probable cause or even presumption of innocence. The OCR can appear at your business or practice and demand to see your records. They do not require a warrant or probable cause. You have no recourse; you cannot say, “Wait until I call my lawyer”, you must comply. Your ability to even negotiate the amount of the fine, or any subsequent business restrictions is very, very limited.

    So, having a plan … and the necessary policy and ability to document any breach and any counter-actions you take can be critical in avoiding serious fines (they start at $50,000 per incident, and many, many worse fines have been assessed for seemingly minor breaches). An attorney is only part of the solution. In order to be prepared (do you know when you’ll have a breach? … not likely), you should have six years of risk assessments online, all your BA agreements (if you don’t know what ‘BA’ means, you’re probably in serious non-compliance) available online, how you assessed THEIR HIPAA compliance, and all your staff HIPAA attestations, again, online. Those constitute a critical MINIMUM plan. Less than that, and you’d better get someone to help you get HIPAA compliant ASAP.

    I am not an attorney, nor am I offering legal advice. This information is offered for educational purposes and is based on open publications and informed professional expertise.


  11. I have been a victim of a HIPPA violation, which could effect me tremendously, both personally and financially. A hospital staff member shared my medical diagnosis with their friend, who is a mutual friend of mine. This friend then asked me about my condition, naming it specifically, and the struggles I was having because of my condition. My condition has not been shared with anyone but my doctor and my spouse. This has a great financial and personal impact on me as I am in the process of training for a specific license, I have spent over $ 80,000.00 purchasing equipment and training for this license. Because of the law changing, within months my medical condition will not impact my licensing, but as of now it does, so this violation has not only embarrassed me, with the inquiry of my health by others, but it has impacted me financially and personally. What can I do to make sure this violation is reported, person is held accountable and I can recover the thousands of dollars I have lost because of this violation?

  12. My private health and safety was breached when Hillary Clinton had a private email server in her basement that was not Hipaa compliant.
    Hillary Clinton of all people should be aware of the Hipaa rules and regulations, because it was her husband, Bill Clinton, whom signed the Hipaa bill into law, as his last signature as President of the United States of America, immediately before he was impeached by the House of Representatives on December 19, 1998.

    1. I work for an IPA /Medical group who is having a problem with their medical documentation program the information will be charted under lets say Aetna and the member is actually Blue Shield so it looks like the information is under a wrong health plan

  13. Is it a violation to email a patient list from an office to a personal home email? The list of about 100 people were part of a community eligible for medical testing due to contaminated drinking water. Only 1 person signed up to be tested. The list included name/address/phone number

  14. 558 Comments
    Recommend 86
    Sort by Best

    Join the discussion…

    a minute ago
    I need some advice. My sister was put in a long term facility last year. She does not hwve a home and the hospital is telling her that she will need to leave soon. Now knowing this we (my family and I ) are looking for a home so we can take care of her. But she has found out from other patients that the nurses and other employees in this facility are talking about her situation loud enough that those other patients are asking her questions about her situation. I’m wanting to know if this a hippa violation. She also received a phone call from her social worker and the person that works at the facility did not ask her but put her phone call on three way. And tried to take over the conversation.

  15. bcant41

    I need some advice. My sister was put in a long term facility last year. She does not hwve a home and the hospital is telling her that she will need to leave soon. Now knowing this we (my family and I ) are looking for a home so we can take care of her. But she has found out from other patients that the nurses and other employees in this facility are talking about her situation loud enough that those other patients are asking her questions about her situation. I’m wanting to know if this a hippa violation. She also received a phone call from her social worker and the person that works at the facility did not ask her but put her phone call on three way. And tried to take over the conversation.

  16. My doctor refuses to release my medical records I am under psychiatric care. I have asked numerous times for my records to be released to me what can I do to get them

  17. I work for a school district and was out for a day and a half. I went to the doctor got a excused note and brought it to the personnel. it excused me for they day I was out and stayed I could return back to work. The secretary called me and left a message asking me for the doctors note with my diagnosis on it. when I responded back to her I told her I believed that is a violation of my privacy and they could not ask for this, she stated yes the could and that it is in our contract, which it is not. they proceeded to bully me into giving them the form stating they could choose not to pay me. Is this a violation of my HIPAA rights? spoke with my union rep. they informed me it was against the law

  18. If an employer announces to clients the reason for your termination in a public room. Is the employer in violation of breaching the HIPAA Law?

  19. An employee from the veterans department that is the ex of my wife, sent her a text threatening to use my records to gain custody of his daughter from wife, I’m a 100% va rated with with multiples disabilities including 100% ptsd, I talked to the director of the va and nothing has been done, what are my rights regarding this situation

  20. I’m about to be suspended for 5 days without pay because I looked at my father’s record(just his name, no results and he has been dead for over 10 years [12-15-2007]) and my name(no results). I’m a Medical Technologist working for Valley Health in the state of Virginia. I was told by the DMV that I could not use Jr. in my name because it was not filed that way on my birth certificate. I access my name and my father’s name in EPIC (Healthcare Software). Valley Health says that it was a HIPPA violation to access my name and his name. Would somebody please tell me where to find this in the HIPAA regulations and what the HIPPA regulations state about this? Thank you

  21. January 25,2018 Mrs. Annie L. Carter,M.S.W,
    Case Manager,Transnal Hoousing for Good Neighbor Homeless Shelter called my doctor without my permission to send her a letter stating that I could not work. She wanted it to be wrote just like that word for word for it would make me not eligible for the program. Of course the doctor office would not do it, and contact me right away.
    Also wrote a letter.

  22. We have two RN’s in our department who are sisters. They often work the same schedule or follow each others patients on opposing days. I have often been the off going nurse trying to give report to one of these sisters but am quickly informed that the other sister has already told them all about the patient so my report is unnecessary. I have mentioned to each of them that this is a HIPPA violation but neither seems to stop the practice. I’m concerned because we have a lot of sensitive CPS cases here and in general it just feels like a BIG HIPPA violation.

  23. I live in a small town in my fiance’s ex-wife is a legal assistant paralegal two are seemingly only family court judge who overseen their divorce their child custody in the racketeering of his family home my medical records and a hospital stay were used in his custody case though I had only been with him 7 months by then. I cannot find a lawyer in our small town to represent us

  24. Took brother to jps emergency room. They put him on the wall I the hall, and discussed his medical business for every on-site you hurt the lady who takes insurance information heard me talking bout his hipaa rights and began to be descreat with his information.

  25. I was discussing how my brother HIPAA rights are being violated because JPS has him on the wall in the hall and discussing all his medical information out in the open they never stopped they never tried to do it privately with just him or anything when the check in person heard me say something about his HIPAA rights she then tried to ask if the information was correct on his forms without us talking out loud about it but other than that at JPS Hospital hipaa rights are violated.

Leave a Reply

Your email address will not be published. Required fields are marked *