Summary of the HIPAA Breach Notification Rule
The Health Insurance Portability and Accountability Act of 1996 is one of the most important pieces of legislation to affect the healthcare industry, yet many healthcare providers and insurers are unaware of HIPAA obligations, in particular those relating to the HIPAA Breach Notification Rule.
There has been considerable criticism of healthcare providers and insurance companies in recent months regarding the speed at which individuals affected by data breaches are notified that their healthcare data and personal information has been stolen, lost or divulged to an unauthorized individual.
With this in mind, and given the rise in the number of HIPAA data breaches in recent months, we have prepared a summary of the important elements of the HIPAA Breach Notification Rule to help healthcare organizations respond quickly to data breaches and stay HIPAA-compliant.
Summary of the HIPAA Breach Notification Rule
HIPAA Rules set standards which healthcare providers and other covered entities must follow in order to reduce the chance of patient data being exposed; however even with the most sophisticated data security systems, it is still possible for unauthorized individuals to access computer systems. One need only look at the recent hack of the Pentagon’s Twitter account to show that no organization is impervious to attack.
If your organization has suffered a data breach, the steps that must be taken depend on the nature of the data compromised and the number of people affected:
Breaches Affecting More than 500 Individuals
If a data breach occurs which exposes the PHI of more than 500 individuals, the Department of Health and Human Services’ Office for Civil Rights must be notified “without unreasonable delay”, and certainly within 60 days of the discovery of the breach. The report should be made via the OCR Breach reporting web portal. Breach Notification letters must also be sent to all affected individuals – see the section below.
Issuing Notification of the Breach to the Media
A prominent media source serving the state in which the victims are located must be alerted to a data breach affecting more than 500 individuals, and that notice must be issued within 60 days of discovery of the breach.
Posting of Breach Details on the Company Website
While it is not mandatory to post information relating to the breach on the company website for all breaches, if more than 10 individuals cannot be contacted due to incomplete contact information or if there is out of date contact information, a notice must be posted prominently on the company website for a period of 90 days, or if this method of notification is not chosen, the organization must publish the information via major print and broadcast media. A Toll free telephone number must also be provided to allow breach victims to get in touch with any questions.
Breaches Affecting Fewer than 500 Individuals
Data breaches involving fewer than 500 individuals require notifications to be sent to all affected individuals without unreasonable delay, and within 60 days of the discovery of the breach. The media does not need to be informed of these small scale data breaches, even when they involve the compromising of Social Security numbers and healthcare data.
The Department of Health and Human Services’ Office for Civil Rights must be notified of all sub-500-record data breaches within 60 days of the start of the new calendar year. I.e. data breaches occurring on January 1 would not need to be reported to the OCR until March 2nd of the following year.
Business Associates Responsible for Data Breaches
Any Business Associate that discovers they have been responsible for a breach of PHI must notify the covered entity of the incident no later than 60 days after the discovery of the breach. Efforts should be made to identify the individuals affected as well as the data that was compromised in the incident.
Issuing of Breach Notification Letters
When a breach does occur, all covered entities, including their Business Associates, are required to notify all affected individuals that their Protected Health Information has been exposed, whether it was due to a hacking incident, a lost laptop or Smartphone, or any other device that contained unencrypted PHI. The HIPAA Breach Notification Rule also applies to paper records, x-ray films and all other physical records containing PHI. The loss, theft or disclosure of these records also requires the affected individuals to be notified.
Breach notification letters must be sent via first class post, although in cases where individuals have agreed to receive communications via email, this is an acceptable means of communication. The notification letters – or emails – must include details of the breach, the information that was potentially exposed, a description of the actions taken by the company in response to the breach, information on the efforts made to mitigate damage or loss and the actions which can be taken by individuals to mitigate risk.
Breach Notification letters must be sent if the healthcare provider, Health Plan, Business Associate or other covered entity can show that there is a risk that PHI has been viewed, or could potentially be viewed. Breach notification letters can be issued without a risk assessment having first taken place, although the decision not to send notification letters should only be made after a thorough risk assessment has been performed. This must include the following points:
- The type of data exposed and the likelihood of a patient or plan member being identified from the data
- The person who has accessed the data and to whom they have disclosed information
- The probability of PHI being accessed, viewed and/or shared
- The extent to which any potential damage has been mitigated
If a portable device or desktop computer has been lost or stolen, it is only considered a HIPAA breach – and therefore only requires breach notification letters to be sent – if the PHI contained on the device, or accessible through it, is unencrypted. In the case of loss or theft of encrypted devices, breach notification letters only need to be sent if the security key was also lost or stolen.
N.B. Password protection is not the same as data encryption. In the case of loss or theft of devices containing password protected PHI, breach notifications will still need to be issued.
Documentation of Actions Taken
All covered entities must maintain a record of the actions taken following a breach, as these may be required by OCR auditors. The HIPAA Breach Notification Rule requires details of the breach notification letters that have been sent to be recorded, along with evidence that they have indeed been sent.
If breach notification letters are deemed not to be necessary, the reason for this decision, along with evidence to support it, must be documented.
Penalties for HIPAA Breach Notification Rule Violations
The failure to issue breach notification letters within 60 days of the discovery of a breach is a violation of the HIPAA Breach Notification Rule and can attract a penalty from OCR and state attorneys general. The maximum penalty for non-compliance is $1.5 million, per violation category, per calendar year.
While the HIPAA Breach Notification Rule stipulates notifications must be issued within 60 days of the discovery of a breach, unnecessarily delaying breach notifications is also a violation of the HIPAA Breach Notification Rule and could attract a financial penalty. The HIPAA Breach Notification Rule says notifications must be issued “without unreasonable delay.”
In 2017, OCR took the decision to pursue a case against Presense Health for delaying the issuing of breach notification letters. Presense Health discovered the breach on October 22, 2013, yet OCR was notified on January 31, 2014 – more than a month after the 60-day HIPAA Breach Notification Rule deadline had passed. Presense Health settled the case for $475,000.
Further information on the HIPAA Breach Notification Rule
More detailed information on the HIPAA Breach Notification Rule can be found on the HHS website