Your HIPAA Breach Notification Questions Answered

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

The HIPAA Breach Notification Rule is a requirement put in place that requires HIPAA-covered entities and their business associates to “provide notification following a breach of unsecured protected health information.”

The details provide an outline for how healthcare providers, hospitals, and physicians must notify the affected individuals, the Secretary of the U.S. Department of Health & Human Services (HHS), and the media in certain circumstances.

What Are the Notification Requirements?

Individuals
The individual that is affected by the breach must be notified once the discovery is made, and it needs to be done in written form via first-class mail. If that person has requested that notifications are to be received electronically, the notification can done be via e-mail. If the covered entity has outdated or insufficient contact information for 10 or more individuals, in addition to notifying each affected individual, the notice must be posted on their website’s homepage for at least 90 days or posted in major print or broadcast media. This must occur where the affected individuals are likely to maintain residence. A toll-free phone number must also be provided by the covered entity for at least 90 days. This provides a way for individuals to learn if their information has been affected by the breach.

According to the HHS government site, this must be done “without reasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).”

If the breach occurs at or by the covered entity’s business associate, it is still their responsibility to make sure that the individuals that they support are notified. The responsibility can be delegated to the BA but they should (together) decide which of the two is in a better position to do so.

Media
If a breach affects 500 or more residents of a state or jurisdiction area, the media outlets serving that area must be notified by the covered entity. This is often done by submitting a press release to the appropriate outlets. It must be done no later than 60 days following the breach discovery. The information included should be the same as that provided in the individual notice.

Notice to the Secretary
Notifying the Department of Health & Human Services Secretary can be done by going to the HHS website and electronically completing a breach report form. If the breach affects less than 500 people, it can be reported on an annual basis no later than 60 days after the end of the calendar year in which the breach was discovered. If more than 500 individuals are affected, it must be reported without reasonable delay and no later than 60 days following the breach.

Business Associates
A business associate must notify the covered entity that it works with without reasonable delay and no later than 60 days from the breach discovery. Providing identification of all details and valuable information including the identities of individuals with compromised information should be done to the best extent possible.

Administrative Requirements & Burden of Proof
Providing proof that all required notifications have been provided is required by covered entities and business associates. Documentation should be maintained that:

  • All required notifications were made
  • Documentation that notification was not required. This means showing:
    1. That its risk assessment demonstrates a low probability that the protected health information has been compromised by the impermissible use or disclosure.
    2. The application of any other exceptions to the definition of “breach.”

This article was originally published on HIPAA Secure Now! and is republished here with permission.