If you googled the phrase “HIPAA Breach” and went to the news section, you would see a ton of stories of organizations declaring that they suffered one.
Why would any organization disclose an issue with their compliance with HIPAA?
Corporate overlords would say that disclosing something like that would have a massive, negative impact on revenue. So, odds are they wouldn’t. Luckily, it’s for that very reason that the HIPAA Breach Notification Rule exists.
You see, HIPAA-covered entities and business associates need to be familiar with the HIPAA Breach Notification Rule and its requirements. This can help you develop a HIPAA-compliant breach response plan.
You will need to mobilize the troops, so to speak, as soon as someone discovers a breach of unsecured Protected Health Information (PHI). Therefore, you need to have prior knowledge of the notification rule.
Many healthcare entities have already experienced a breach. But if you are in the minority that haven’t experienced a breach yet, you might not have a good working knowledge of the Breach Notification Rule requirements.
Vendors that only just started providing services to healthcare entities may also not have a robust knowledge of the reporting requirements.
If you don’t know what to do in the event of a breach involving PHI, please continue reading.
Table of Contents
What is a Breach?
A breach is the acquisition, access, use, or disclosure of unsecured protected health information, known as PHI. Such actions are not permitted by HIPAA rules and regulations.
We must assume that any impermissible use or disclosure of PHI is a breach. There’s one exception though: the low probability threshold.
A covered entity must assess whether the use or disclosure meets HIPAA’s “low probability of compromise” threshold.
This evaluation happens with a four-factor test…
The nature and extent of the PHI involved
This includes the types of identifiers and the likelihood of re-identification
The unauthorized person/people who used the PHI or received the PHI
Whether someone viewed or acquired the PHI
The amount of effort put into risk mitigation
If there’s an obvious compromise of PHI, covered entities don’t have to perform the entire four-factor risk assessment. Covered entities can begin the breach notification process without conducting a formal risk assessment.
Breaches include…
Unauthorized access by employees and third parties
Improper disclosures
Exposure of PHI
Ransomware attacks
Breaches DO NOT include…
Breaches of secured or encrypted PHI
Any unintentional acquisition access or use of PHI by an employee if made in good faith within the scope of authority and does not result in further disclosure
An inadvertent disclosure by someone who does have the authorization to access PHI
When the covered entity or business associate makes a disclosure and has good faith belief that the recipient did not retain the information
Breach Notification Requirements
The HIPAA Breach notification rule requires covered entities to report breaches of unsecured PHI and ePHI. Of course, this requirement also applies to any business associates.
If there are no breach exceptions or a demonstration of low compromise probability, covered entities need to notify…
Patients
The U.S. Department of Health and Human Services (HHS)
The Secretary
The media (depending on circumstances)
This is especially true if the breach involves an impermissible use or disclosure of PHI.
Business associates must notify covered entities if a breach occurs at or by the business associates.
Individual Notice
A covered entity needs to notify everyone affected by the breach of unsecured PHI. If you suspect someone might have their PHI compromised but can't confirm the breach, you need to notify them too.
A covered entity needs to send a breach notification letter within 60 days of discovering the breach. The only exception is if you request delay notifications from law enforcement. In such cases, notifications should go out as soon as the request expires.
It’s permissible to delay reporting a breach to the HHS for breaches impacting fewer than 500 individuals. However, this delay doesn’t apply to the notification of individuals.
Letter notifying affected individuals of a breach needs to go out using first-class mail to the latest known address of the victim. Using email is also permissible if you have permission from the individual to contact them electronically.
So you know you need to send out letters and emails to people, but what should those letters contain?
You need to write the letter in plain language.
They need to explain…
What happened
A list of exposed or stolen information
What you are doing to resolve the situation
How you are going to move forward so breaches don’t happen again
How victims can limit harm
In addition to the essentials, you need to provide affected individuals with a toll-free number so they can contact you for more information. A postal address and email address can also go a long way.
Notice to The HHS
You need to send a notification to the HHS through the Office for Civil Rights breach reporting tool. Depending on the number of people impacted by the breach, what you need to do may differ.
When the breach impacts more than 500 people, the maximum time you have to issue a notification to the HHS is 60 days from the date of discovery.
If the breach impacts fewer than 500 people, you need to submit a notification to the HHS within 60 days of the end of the calendar year. This calendar year must be the same year of discovery.
Media Notice
The last part of the breach notification rule requirements has to do with notifying local media outlets. Failure to issue a media notice is a HIPAA violation.
If you have a breach on your hands that affected 500 or more individuals, you must report the incident to prominent media outlets in the states and jurisdictions where the victims live. In other words, if your victims live in all fifty states, you need to notify media outlets everywhere.
This is an important part of the HIPAA Breach Notification Rule because not everyone has up-to-date contact information. By notifying the media, you can ensure that you notify all breach victims of the potential exposure of their sensitive information.
Just like with the notice to the HHS and breach victims, you need to notify media outlets within 60 days of the discovery of the breach.
Business Associate Breach Notification
If a business associate is an entity that suffered a breach of unsecured PHI, they must notify any covered entities affected.
This notification must happen “without reasonable delay”, which is a fancy phrase for within 60 days of the discovery of the breach.
What does that notification look like?
Obviously, the business associate needs to provide information about each individual affected by the breach. This includes contact information for notification purposes.
In a perfect world, everyone would have readily available and up-to-date contact information. But, that’s certainly not the case.
So, what happens in the case that an affected person doesn’t have readily available contact information?
The Breach Notification Rule acknowledges that this may not be possible. Thus, in this case, the business associate needs to do their best.
Conclusion
What are the breach notification rule requirements?
Hopefully, you have a good understanding of how to go about notifying the world about the leakage of PHI.
Sending notifications following a breach of unencrypted PHI is an important part of HIPAA compliance. Failure to comply with HIPAA breach notification requirements can result in significant fines and other financial penalties on top of those imposed for the data breach itself.
The problem with HIPAA laws is that they are constantly changing. The best way to stay up-to-date with the laws and regulations is to offer regular training courses to everyone who works in the healthcare industry. If you are a business associate working with a covered entity, you should look into training too.
We offer routine HIPAA training modules to help keep you in compliance with HIPAA laws and regulations. We can help you stay up-to-date with the laws and keep you in compliance. If this sounds like a good idea, click here to learn more about HIPAA training.