HIPAA covered entities must know their obligations under the HIPAA Breach Notification Rule and have processes ready to be put in place should a protected health information (PHI) disclosure be discovered.
Even if covered entities are familiar with the requirements in theory, those who have never suffered a breach may not understand their duties in practice. Service providers that are new to the healthcare sector may also be uncertain of their role in the case of a breach.
Issuing breach notifications is essential for HIPAA compliance should unencrypted PHI be leaked. The Breach Notification Rule carries hefty penalties for entities that do not correctly notify relevant parties. To help covered entities and business associates better understand the breach notification requirements, we have put together the summary below.
Summary of HIPAA Breach Notification Requirements
The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – compels covered entities and business associates to notify certain stakeholders of PHI breaches. Any acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA Rules is classified as a breach.
Unauthorized access by staff is also considered a breach, as are improper disclosures, exposures of PHI, and ransomware attacks. Some cases are exempt, such as breaches involving encrypted data where the encryption key has not been acquired; inadvertent disclosures by personnel authorized to view PHI to other authorized personnel; cases where a disclosure occurs but the responsible party has a good faith belief that information could not have been retained by the unauthorized party; and “any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure”.
Should a notifiable breach occur, the following HIPAA Breach Notification rules should be observed:
Notify Individuals Impacted or Potentially Impacted
Anyone who had or can be reasonably believed to have had their PHI accessed, acquired, used, or disclosed must be made aware of the breach.
Breach Notification letters must be issued within 60 days of discovering the breach, except when law enforcement has requested a delay. Should a delay be requested and granted, notification should be issued as soon as the delay has passed. Breaches affecting fewer than 500 people do not need to be reported to the Department of Health and Human Services (HHS) as quickly, as outlined below, but affected individuals must still be notified in this time frame.
Breach Notifications must be sent either by first class mail to the last known address of the impacted persons, or by email if the individual has consented to being contacted in this manner.
Notification letters must explain the situation in plain language, detail the information that has been stolen or exposed, include a short overview of the steps the covered entity is taking to reduce any damage the breach may cause and limit the chances of future breaches occurring, and advise individuals on what they can do to reduce harm. A toll free telephone number, postal address, and email address must also be given to victims for them to contact the entity for more information.
Notify the Department of Health and Human Services
The Secretary of the Department of Health and Human Services must be notified and this can be done on the Office for Civil Rights’ (OCR) breach portal. Notification requirements under HIPAA depend on the number of people affected.
If more than 500 people are affected, HHS must be must be notified with 60 days of discovery. No unnecessary delay should stop the notification from being issued as soon as possible within this 60 day period. If fewer than 500 people are affected, the covered entity must notify HHS within 60 days of the end of the calendar year in which the breach was discovery – i.e. a breach discovered in January 2009 must be reported to HHS before early March 2010.
Notify the Media
The media also may need to be notified to comply with HIPAA breach notification requirements. This can sometimes be forgotten by covered entities who are already occupied notifying the HHS, state Attorneys General, and impacted patients, but failing to notify the media is a HIPAA violation.
Prominent media covering states or jurisdictions where individuals affected by larger breaches of unsecured PHI, those affecting more than 500 people, must be notified of the breach to comply with 45 CFR §§ 164.406. Media exposure allows those whose contact information is out of date to be informed of the breach. Media notification must also be done within 60 days of discovery.
Post a Substitute Breach Notice on the Breached Entity’s Internet Home Page
If current contact information is unavailable for 10 or more affected individuals, the breached entity must prominently host a link to a substitute breach notice on the home page of their website for 90 consecutive days. If contact information is out of date for fewer than 10 people, other methods can be used to try and reach them.
Data Breaches by HIPAA Business Associates
Business Associates are also subject to HIPAA Rules and can be sanctioned similarly to covered entities for notification violations.
Should unsecured PHI be disclosed, associates have 60 days from discovery to notify the appropriate parties and, as with covered entities, should not unnecessarily delay notification. Unnecessary delays are HIPAA violations.
Covered entities are normally the ones who issue notifications to the people affected, even if it is the business associate that experienced the breach. The associate will need to identify the patients involved to the entity as well as notifying the entity of the breach. It is recommended to quickly advise the entity of the breach and follow-up with more details as they become available. BAAs may oblige associates to issue their own notifications.
Deadlines for Breach Notifications
Notifications must be issued within 60 days of discover without unnecessary delays during that period, unless asked to delay by law enforcement. PHI breach investigations can be lengthy processes but notifications should be issued as soon as sufficient information has been obtained.
It is important not to delay notifications unnecessarily within the 60 day period and doing so can lead to fines. A number of cases resulting from late notifications have occurred recently.
State Laws May be Stricter Than HIPAA Laws
Many states also have legislation governing breach notifications. Often, the State Attorney General and victims must be notified. Some states have much shorter time periods than HIPAA allows for breach notifications to be issued.
State attorneys general may fine covered entities for late notifications even if HIPAA’s 60 day period is respected. State laws are more subject to change than federal laws and they should be closely monitored.
Penalties for HIPAA Breach Notification Requirement Violations
Covered entities must follow breach notification requirements or risk sanctions from states or the OCR.
2017 saw the first covered entity fined due to deadline violations alone. Presense Health settled the case with OCR for $475,000 after they waited three months following their discovery of a breach before issuing notifications. The maximum fine for a HIPAA Breach Notification Rule violation is $1,500,000, more if the delay is greater than 12 months.