What are the HIPAA Breach Notification Requirements?
All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information (PHI) is discovered. HIPAA training for staff must also include the procedures for reporting breaches of unsecured PHI.
While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started providing a service to Covered Entities may similarly be unsure of the reporting requirements and actions that must be taken following a breach.
The issuing of notifications following a breach of unencrypted PHI is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty in additional to that impose for the data breach itself. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and their business associates.
Summary of the HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – requires covered entities and their business associates to report breaches of unsecured electronic protected health information and physical copies of protected health information. A breach is defined as the acquisition, access, use, or disclosure of unsecured protected health information in a manner not permitted by HIPAA Rules.
According to the HHS´ guidance on the HIPAA Breach Notification Rule, an impermissible use or disclosure of unsecured protected health information is presumed to be a breach unless the covered entity or business associate demonstrates there is a low probability the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
HIPAA breaches include unauthorized access by employees as well as third parties, improper disclosures, the exposure of protected health information, and ransomware attacks. Exceptions include: Breaches of secured protected health information such as encrypted data when the key to unlock the encryption has not been obtained; “any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure;” An inadvertent disclosure by a person who is authorized to access PHI, to another member of the workforce at the organization who is also authorized to access PHI; When the covered entity or business associate makes a disclosure and has a good faith belief that the information could not have been retained by the person to whom it was disclosed.
In the event of a reportable HIPAA breach being experienced, the HIPAA breach notification requirements are:
Notify Individuals Impacted – or Potentially Impacted – by the Breach
All individuals impacted by a data breach, who have had unsecured protected health information accessed, acquired, used, or disclosed, must be notified of the breach. Breach notifications are also required for any individual who is reasonably believed to have been affected by the breach.
Breach notification letters must be sent within 60 days of the discovery of a breach unless a request to delay notifications has been made by law enforcement. In such cases, notifications should be sent as soon as that request has expired. While it is permissible to delay reporting of a breach to the HHS for breaches impacting fewer than 500 individuals (see below), that delay does not apply to notifications to breach victims.
Breach notification letters should be sent by first class mail to the last known address of breach victims, or by email if individuals have given authorization to be contacted electronically.
The HIPAA breach notification requirements for letters include writing in plain language, explaining what has happened, what information has been exposed/stolen, providing a brief explanation of what the covered entity is doing/has done in response to the breach to mitigate harm, providing a summary of the actions that will be taken to prevent future breaches, and giving instructions on how breach victims can limit harm. Breach victims should also be provided with a toll-free number to contact the breached entity for further information, together with a postal address and an email address.
Notify the Department of Health and Human Services
Notifications must be issued to the Secretary of the Department of Health and Human Services, via the Office for Civil Rights breach reporting tool. The HIPAA breach notification requirements differ depending on how many individuals have been impacted by the breach.
When the breach has impacted more than 500 individuals, the maximum permitted time for issuing the notification to the HHS is 60 days from the discovery of the breach, although breach notices should be issued without unnecessary delay. In the case of breaches impacting fewer than 500 individuals, HIPAA breach notification requirements are for notifications to be issued to the HHS within 60 days of the end of the calendar year in which the breach was discovered.
Notify the Media
HIPAA breach notification requirements include issuing a notice to the media. Many covered entities that have experienced a breach of protected health information notify the HHS, relevant state attorneys general, and the patients and health plan members impacted by the breach, but fail to issue a media notice – a violation of the HIPAA Breach Notification Rule.
A breach of unsecured protected health information impacting more than 500 individuals must be reported to prominent media outlets in the states and jurisdictions where the breach victims reside – See 45 CFR §§ 164.406. This is an important requirement, as up-to-date contact information may not be held on all breach victims. By notifying the media, it will help to ensure that all breach victims are made aware of the potential exposure of their sensitive information. As with the notifications to the HHS and breach victims, the media notification must be issued within 60 days of the discovery of the breach.
Post a Substitute Breach Notice on the Home Page of the Breach Entity’s Website
In the event that up-to-date contact information is not held on 10 or more individuals that have been impacted by the breach, the covered entity is required to upload a substitute breach notice to their website and link to the notice from the home page. The link to the breach notice should be displayed prominently and should remain on the website for a period of 90 consecutive days. In cases where fewer than 10 individuals’ contact information is not up-to-date, alternative means can be used for the substitute notice, such as a written notice or notification by telephone.
Data Breaches Experienced by HIPAA Business Associates
Business associates of HIPAA-covered entities must also comply with the HIPAA breach notification requirements and can be fined directly by the HHS’ Office for Civil Rights and state attorney generals for a HIPAA Breach Notification Rule violation.
Any breach of unsecured protected health information must be reported to the covered entity within 60 days of the discovery of a breach. While this is the absolute deadline, business associates must not delay notification unnecessarily. Unnecessarily delaying notifications is a violation of the HIPAA Breach Notification Rule.
It is usually the covered entity that will issue breach notifications to affected individuals, so any breach notification will need to be accompanied with details of the individuals impacted. It is a good practice to issue a breach notification to a covered entity rapidly, and to provide further information on the individuals impacted once the investigation has been completed. Under the terms of a HIPAA-compliant Business Associate Agreement (BAA), a business associate may be required to issue breach notifications to affected individuals.
Timeline for Issuing Breach Notifications
Breach notifications should be issued as soon as possible and no later than 60 days after the discovery of the breach, except when a delay is requested by law enforcement. Investigating a breach of protected health information can take some time, but once all the necessary information has been obtained to allow breach notifications to be sent they should be mailed.
HIPAA-covered entities must not delay sending breach notification letters. It is possible to receive a HIPAA violation penalty for delaying notifications, even if they are sent within 60 days of the discovery of the breach. There have been several recent cases of HIPAA breach notification requirements not being followed within the appropriate time frame, which can potentially result in financial penalties.
State Breach Notification Laws May Be Stricter than HIPAA
U.S. states have their own breach notification laws. Typically, notifications must be issued to breach victims promptly and a notice also submitted to the state attorney general’s office. Some states require breach notifications to be issued well within the HIPAA deadline.
Delaying breach notifications until the 60-day limit of HIPAA could well see state laws violated, leading to financial penalties from state attorney generals. State laws frequently change so it is important to keep up to date on breach notification laws in the states in which you operate.
Penalties for Violations of HIPAA Breach Notification Requirements
HIPAA covered entities must ensure the HIPAA breach notification requirements are followed or they risk incurring financial penalties from state attorneys general and the HHS’ Office for Civil Rights.
In 2017, Presense Health became the first HIPAA-covered entity to settle a case with the Office for Civil Rights solely for a HIPAA Breach Notification Rule violation – after it exceeded the 60-day maximum time frame for issuing breach notifications. Presense Health took three months from the discovery of the breach to issue notifications – A delay that cost the health system $475,000. The maximum penalty for a HIPAA Breach Notification Rule violation is $1,500,000, or more if the delay is for more than 12 months.
Responding to a Healthcare Data Breach
HIPAA Breach Notification Requirements FAQs
What is the difference between a HIPAA breach and a HIPAA violation?
A HIPAA breach is when unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted by the Privacy and Security Rules. A HIPAA violation occurs when a Covered Entity, Business Associate, or a member of the workforce fails to comply with any standard in the Privacy, Security, or Breach Notification Rules. It is not necessary for a breach to occur in order for there to be a HIPAA violation – for example, the failure to respond to a patient access request within 30 days is a HIPAA violation, but not a HIPAA breach.
Why must staff be trained on reporting HIPAA breaches?
Staff must be trained on reporting HIPAA violations to their supervisors, managers, or the Privacy Officer. It is not necessary for staff to know the mechanics of the HIPAA breach notification requirements beyond that point, but they must be aware of the consequences of delaying a report in terms of the impact it will have on patients impacted by the breach, the consequences for their employer if notifications are delayed longer than necessary, and on their own jobs if a breach comes to light weeks after it has happened.
What is the difference between secured PHI and unsecured PHI?
Secured PHI is generally defined as Protected Health Information that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technologies or methodologies specified in § 13402 of the HITECH Act. HIPAA is technology neutral, but the implementation specifications relating to Access Controls and Transmission Security state encryption is required unless an equivalent protection is implemented, or the use of encryption is unreasonable and inappropriate in the circumstances.
What is an example of a “good faith belief” that PHI has not been retained?
If, for example, a healthcare professional shows an X-ray image to a person not authorized to view the image but realizes a mistake has been made before it is likely any information relating to the image has been read, it is highly likely that PHI has not been retained and the Covered Entity can reasonably accept – in good faith – there has been no disclosure of unsecured PHI. In this scenario, it is important the healthcare professional reports the unauthorized disclosure to a higher authority, and that the report – along with the good faith determination – is documented.
Why do individuals have to give authorization before they receive email notifications?
Because email is not a secure communication channel, Covered Entities must obtain the authorization of an individual before sending an email that contains PHI. (If the email does not contain PHI, no authorization is necessary). Breach notifications have to inform individuals what PHI was accessed, so therefore Covered Entities can only communicate a breach by email if they have a prior authorization.