Correction of HIPAA Privacy Violation

[Guest kbs]

Company has a self funded health plan and firewalls have been set up between the plan sponsor and the plan. An employee with access to PHI inadvertently sent out PHI concerning another employee to the company's attorney who is handling an employment matter concerning that individual.

The company wants to correct the breach, so the employee is asking the attorney to return all the PHI back. The employee will be reporting this disclosure in the disclosure log, and will be taking steps to make sure that the disclosure does not occur again.

Is there anything else the company should think about doing (other than firing the employee)? Should it tell the individual who already is suing the company about the disclosure (as opposed to listing it as a disclosure if the individual ever requests an accounting)?

[Steve72]

There's no requirement to notify the individual in HIPAA. If you want to do so as a "good faith" measure, it may not be a bad idea. It sounds like you've got your bases covered well.

I'm not sure if the "fire the employee" comment was serious, but HIPAA does require that a covered entity (or here, the sponsor of the covered entity) implement a sanction policy. The employee who caused the breach should be subject to the discipline described in this policy.

[Guest kbs]

Thanks for the insight. I guess I meant that I don't think that the company wants to go to the extreme of firing the employee, but I understand that there has to be some sort of discipline. Thanks again.