All HIPAA covered groups must be aware of HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is identified.
While most HIPAA covered groups should understand the HIPAA breach notification requirements, groups that have yet to suffer a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started serving healthcare clients may similarly be unaware of the reporting requirements and actions that must be taken after a breach.
The sending of notifications subsequent to a breach of unencrypted protected health information is a crucial element of HIPAA compliance. The failure to adhere with HIPAA breach notification requirements can lead to a significant financial penalty.
In Short: HIPAA Breach Notification Requirements
The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – states that covered entities and their business associates are to report breaches of electronic protected health information and physical copies protected health information. A breach is referred to as the obtaining, accessing, using, or disclosing protected health information in a manner not permitted by HIPAA Rules.
HIPAA breaches include unauthorized access by workers as well as third parties, unacceptable disclosures, the exposure of protected health information, and ransomware attacks. Exceptions include: Breaches of secured protected health information including encrypted data when the key to unlock the encryption has not been received; “any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure;” An inadvertent disclosure by an individual who is authorized to access PHI, to another member of staff at the organization who is also authorized to access PHI; When the covered entity or business associate completes a disclosure and has a good faith belief that the data could not have been retained by the individual who received it.
Should a reportable HIPAA breach occurring, the HIPAA breach notification requirements are as follows:
1. Contact Individuals Affected – or Potentially Affected – by the Breach
All those impacted by a data breach, who have had their protected health information accessed, acquired, used, or disclosed, must be made aware of the breach. Breach notifications are also necessary for any individual who is reasonably believed to have been impacted by the breach.
Breach notification letters must be issued before 60 after the discovery of a breach unless a request to delay notifications has been made by law enforcement agencies. In the case of the latter, notifications should be sent as soon as that request has ended. While it is permissible to slow down reporting of a breach to the HHS for breaches impacting less than than 500 individuals (see below), that delay is not allowable for notifications to breach victims.
Breach notification letters must be mailed first class to the last known address of breach victims, or by email if individuals have given authorization to be contacted digitally.
The HIPAA breach notification obligations for letters include writing in plain language, explaining what has taken place, what information has been breached/stolen, providing a brief explanation of what the covered entity is doing/has done in response to the breach to mitigate harm, giving a summary of the actions that will be taken to prevent future breaches, and supplying instructions on how breach victims can minimize damage. Breach victims should also be given a toll-free number to contact the breached entity for further details, together with a postal address and an email address.
2. Contact the Department of Health and Human Services
Notifications must be sent to the Secretary of the Department of Health and Human Services, using the Office for Civil Rights breach reporting tool. The HIPAA breach notification requirements vary depending on how many individuals have been hit by the breach.
When the breach has impacted in excess of 500 individuals, the maximum permitted time for issuing the notification to the HHS is 60 days following the breach being discovered, although breach notices should be sent without preventable delay. If the breach impacts over 500 individuals, HIPAA breach notification requirements are for notifications to be broadcast to the HHS within 60 days of the end of the calendar year in which the breach was identified.
3. Contact the Media
HIPAA breach notification requirements include sending a notice to the media. Many covered groups that have suffered a breach of protected health information notify the HHS, relevant state attorneys general, and the patients and health plan holders impacted by the breach, but do not issue a media notice – a breach of the HIPAA Breach Notification Rule.
A breach of unsecured protected health information that targets/affects over 500 individuals must be reported to main media outlets in the states and jurisdictions where the breach victims reside – See 45 CFR §§ 164.406. This is a crucial requirement, as up-to-date contact information may not be recorded for all breach victims. By letting the media know, it will help to ensure that all breach victims are made aware of the possible exposure of their sensitive information. As with the notifications to the HHS and breach victims, the media notification must be transmitted within 60 days of the discovery of the breach.
4. Publish a Substitute Breach Notice on the Home Page of the Breached Entity’s Official Online Portal
Should it be the case that up-to-date contact information is not held on 10 or greater people that have been impacted by the breach, the covered entity is required to publish a substitute breach notice to their website and link to the notice from the home page. The link to the breach notice should be in a noticeable position on the page and should remain there for a period of 90 consecutive days. In cases where less than 10 individuals’ contact information is not ucurrent, alternative means can be deployed for issuing the substitute notice, such as a written notice or notification by telephone.
5. Data Breaches that Target HIPAA Business Associates
Business associates of HIPAA-covered entities must also adhere with the HIPAA breach notification requirements and can be penalized directly by the HHS’ Office for Civil Rights and state attorneys general for a HIPAA Breach Notification Rule breach.
All breaches of unsecured protected health information must be made known to the covered entity within 60 days of the breach being identified. While this is the outright deadline, business associates must not slow down issuing notifications unnecessarily. Doing so is a violation of the HIPAA Breach Notification Rule.
It is usually the covered entity that will broadcast breach notifications to impacted individuals, so any breach notification will need to be sent in tandem with the details of the individuals impacted. It is considered best practice to issue a breach notification to a covered entity rapidly, and to supply further information on the individuals impacted once the investigation has been completed. Under the terms of a HIPAA-compliant Business Associate Agreement (BAA), a business associate may have to issue breach notifications to affected people.
Issuing Breach Notifications Timeline
Breach notifications should be sent as soon as possible and no more than 60 days follwing the discovery of the breach, except when a delay is asked for by law enforcement. Examining a breach of protected health information can take a considerable amount of time, but once all the necessary information has been obtained to allow breach notifications to be sent they should be sent out.
HIPAA-covered groups must not slow down sending breach notification letters as they can receive a HIPAA violation penalty for delaying notifications, even if they are sent inside of 60 days of the discovery of the breach.
State Breach Notification Laws Could be More Stringent than HIPAA
All U.S. states have their own unique breach notification laws. Usually, notifications must be transmitted to breach victims quickly and a notice also registered with the state attorney general’s office. Some states stipulate that breach notifications must be sent well within the HIPAA deadline.
Slowing down the sending of breach notifications until the 60-day limit of HIPAA could well see state laws broken, resulting in financial penalties from state attorneys general. State laws are often amended so it is important to keep up to date on breach notification laws in the states in which you do business.