The Health Insurance Portability and Accountability Act of 1996 is one of the most significant pieces of legislation to affect healthcare, yet many healthcare providers and insurers are unaware of HIPAA requirements, in particular those linked to the HIPAA Breach Notification Rule.
There has been a lot of criticism of healthcare providers and insurance companies in recent months regarding the speed at which people impacted by data breaches are notified that their healthcare data and personal information has been stolen, lost or divulged to an unauthorized person.
Considering this, and given the rise in the number of HIPAA data breaches in recent months, we have put together a summary of the important elements of the HIPAA Breach Notification Rule to help healthcare organizations respond quickly to data breaches and remain HIPAA-compliant.
HIPAA Breach Notification Rule Summary
HIPAA Rules set standards which healthcare groups and other covered entities must follow in order to minmize the chance of patient data being exposed; however even with the most complex data security systems, it is still possible for unauthorized people to access computer systems. One need only look at the recent hack of the Pentagon’s Twitter account to show that no organization is safe from attack.
If your group has suffered a data breach, the steps that must be taken depend on the nature of the data compromised and the number of people impacted:
Breaches Impacting Over 500 Individuals
If a data breach takes place which exposes the PHI of more than 500 people, the Department of Health and Human Services’ Office for Civil Rights must be alerted “without unreasonable delay”, and certainly within 60 days of noticing the breach. The report should be made via the OCR Breach reporting web portal. Breach Notification letters must also be sent to all affected individuals – see the section under here.
Sending Notifications of the Breach to the Media
A major media source serving the state in which the victims are located must be advised that a data breach affecting more than 500 individuals has taken place, and that notice must be issued within 60 days of spotting the breach.
Publishing of Breach Details on the Company Webpage
While it is not obligatory to publish information relating to the breach on the company website for all breaches, if more than 10 people cannot be contacted due to incomplete contact details or if there is out of date contact information, a notice must be published prominently on the company website for a period of 90 days, or if this method of notification is not selected, the group must publish the information through major print and broadcast media. A Toll free telephone number must also be given to allow breach victims to get in touch with any questions.
Breaches Impacting Fewer than 500 People
Data breaches involving less than 500 individuals require notifications to be sent to all impacted individuals without unreasonable delay, and within 60 days of the identification of the breach. The media does not need to be advised of these small scale data breaches, even when they involve the compromising of Social Security numbers and healthcare data.
The Department of Health and Human Services’ Office for Civil Rights must be made aware of all sub-500-record data breaches within 60 days of the beginning of the new calendar year. I.e. data breaches occurring on January 1 would not need to be reported to the OCR until March 2nd of the next year.
Business Associates Responsible for Data Breaches
Any Business Associate that finds out they have been responsible for a breach of PHI must advise the covered entity of the incident no later than 60 days after the discovery of the breach. attempts should be made to identify the individuals affected as well as the data that was impacted in the incident.
Sending Breach Notification Letters
When a breach does happen, all covered group, including their Business Associates, are required to alert all impacted individuals that their Protected Health Information has been exposed, whether it was due to a hacking incident, a lost laptop or Smartphone, or any other device that included unencrypted PHI. The HIPAA Breach Notification Rule also applies to paper records, x-ray films and all other physical records includes PHI. The loss, theft or disclosure of these records also requires the affected individuals to be notified.
Breach notification letters must be send using first class post, although in cases where individuals have agreed to receive communications via email, this is an acceptable method of communication. The notification letters – or emails – must include details of the breach, the information that was potentially impacted, a description of the actions taken by the company in response to the breach, information on the efforts made to minimize damage or loss and the actions which can be taken by individuals to address risk.
Breach Notification letters must be sent if the healthcare firm, Health Plan, Business Associate or other covered entity can show that there is a reasonable chance that PHI has been viewed, or could potentially be viewed. Breach notification letters can be issued without a risk assessment having first being conducted, although the decision not to send notification letters should only be made after a thorough risk assessment has been performed. This must include these points:
- The range of data exposed and the likelihood of a patient or plan member being named using the data
- The individual who has seen/obtained the data and to whom they have shared data
- The chance of PHI being obtained, viewed and/or shared
- The extent to which any possible damage has been addressed
If a portable device or desktop computer has been gone missing or been taken in a robbery, it is only considered a HIPAA breach – and therefore only requires breach notification letters to be sent – if the PHI contained on the device, or accessible via it, is unencrypted. In the case of loss or theft of encrypted devices, breach notification letters only need to be issued if the security key was also lost or stolen.
N.B. Password protection does not refer to data encryption. In the case of loss or theft of devices containing password protected PHI, breach notifications will still need to be shared.
Actions Taken Must Be Documented
All covered groups must maintain a record of the actions taken following a breach, as these may be requested by OCR auditors. The HIPAA Breach Notification Rule requires details of the breach notification letters that have been sent to be noted, along with evidence that they have indeed been shared
If breach notification letters are deemed not to be required, the reason for this decision, along with evidence to support it, must be documented.