As data breaches become more frequent and complex, healthcare organizations are encouraged to become familiar with HIPAA's Breach Notification Rule.
What is the HIPAA Breach Notification Rule?
According to Health IT Security, the HIPAA Breach Notification Rule requires HIPAA covered entities to provide notification to individuals, regulators, and the media following a breach of protected health information (PHI).
A breach is "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information", as stated by the U.S. Department of Health and Human Services. Covered entities must provide notification if the breach involved unsecured PHI, which is PHI that has not been deemed unusable, unreadable, or indecipherable to unauthorized persons.
How to be prepared to make an official notification
Organizations should develop and implement a cyber incident response plan that includes breach notifications.
When a breach is suspected, the Health and Human Services (HHS) Department recommends taking the following four steps to conduct a risk assessment:
- Confirm if PHI was acquired or viewed.
- Discover the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
- Identify the unauthorized person(s) who used the PHI or to whom the disclosure was made.
- Determine the extent to which the risk to the PHI has been mitigated by the covered entity.
Conducting a risk assessment is an important piece of the investigation once a report is made. As Jesse Coleman, Partner at Houston-based law firm Seyfarth Shaw, states, "the office for Civil Rights, which is the enforcement mechanism for the HHS secretary, will look to this risk assessment if it turns out that there has been some sort of impermissible use or disclosure that was not reported."
Are there exceptions to what needs to be reported?
HHS notes that there are three exceptions to the breach definition of PHI:
- The unintentional acquisition, access or use of PHI by an employee or person acting under the authority of a covered entity or business associate.
- The inadvertent disclosure by a person authorized to access PHI at a covered entity to another authorized person.
- The covered entity or business associate has a "good faith belief" that the unauthorized person would not have been able to retain the information.
Who should be notified?
The HHS requires three types of entities to be notified in the case of a PHI data breach:
- Individual victims
The notification must also include the following information:
- Description of the breach.
- Description of the types of information involved in the breach.
- Steps that breach victims should take to protect themselves from harm.
- Description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent further instances.
- Contact information for the covered entity.
When should notification be provided?
- A covered entity must send notification by first-class mail or email.
- If a covered entity experiences a breach affecting more than 500 residents of a state or jurisdiction, it is required to notify prominent media outlets within its state or jurisdiction within 60 days of breach discovery.
- The Office for Civil Rights (OCR) must always be notified about a breach of unsecured PHI. If the breach impacts 500 or more individuals, the covered entity must inform the OCR within 60 days of breach discovery.
- For breaches affecting fewer than 500 individuals, the covered entity can notify the OCR on an annual basis.
An important final reminder
Covered entities and business associates are required to demonstrate that they have provided all necessary notifications in the event of a breach of PHI, or that they have determined through a risk assessment that the disclosure of unsecured PHI was not a breach of PHI.
Learn more by visiting WWW.HHS.GOV