Following a breach of phi, whose responsibility is it to notify the affected individuals?

A security breach can be devastating for a HIPAA-covered entity – yet they do occur, so it is essential to know what HIPAA requirements you need to follow. The HIPAA Breach Notification Rule requires that any HIPAA-covered entity must notify those individuals whose unsecured protected health information (PHI) may have been accessed, as well as the media and the Department of Health and Human Services (HHS).

Below, we break down these rules, discuss what to do after a breach, and advise you on what to include in your HIPAA Breach Notification.

What Is a Breach?

A violation of the HIPAA Privacy Rule is considered a breach when protected health information has been used or disclosed in an impermissible manner. Such use or disclosure is considered a breach unless the dental practice (the covered entity) or business associate can prove a low likelihood that patient data was compromised.

This is done via a risk assessment that examines the following factors:

1. The nature and extent of the PHI in question, including all identifiers and the possibility of re-identification
2. The unauthorized individual who used the PHI and to whom the disclosure was made
3. The time the PHI was viewed or obtained
4. The risk mitigation measures taken following the breach.

In the definition of a breach, there are three exceptions:

1. The accidental access or use of PHI by a staff member or person acting under the authority of the covered entity is not considered a breach if the use or access was with sincere intention and within the scope of delegated authority.
2. Accidental PHI disclosure by an authorized person or business associate to another authorized person or organized healthcare partnership that the covered entity participates in is not considered a breach provided the disclosed information is not further used or disclosed in an impermissible manner.
3. The covered entity or business associate has a logical reason to believe that the unauthorized individual to whom the PHI was revealed would not be able to retain the data.

HIPAA Breach Notification Rule Requirements

Following a security breach of unsecured protected health information, HIPAA-covered businesses must notify affected individuals, the HHS, and in certain circumstances, the press. In addition, if a breach occurs at or by a business associate, the business associate must notify the covered entity.

Individual Notice

The HIPAA Breach Notification Rule requires that covered entities notify individuals whose PHI has been breached within a “reasonable time” but no later than 60 days following the discovery of the breach. The notification must be provided by first-class mail or by email if the individual has consented to receive notifications via email.

If ten or more individuals are involved and the covered entity does not have their current contact information, the rule is to post a notice on their website for 90 days or to publish a notice in a well-known media outlet where the affected individuals reside.

The notice should include a toll-free number that must be active for a minimum of 90 days following the publication. Where less than ten individuals are involved and the contact information is outdated, the covered entity can use an alternative form of written notice, contact via phone, or other reasonable means.

Media Notice

If a HIPAA breach impacts more than 500 individuals in a state or jurisdiction, the covered entity must also provide prominent notification to local media. This is usually done via a press release and must happen within a reasonable time but not more than 60 days after discovering the breach.

Notice to Secretary of HHS

If HIPAA has been violated, then the HIPAA Breach Notification Rule requires that covered entities must also notify the Secretary of the HHS within 60 days. If more than 500 individuals are impacted by a single breach, or in cases where there were multiple breaches at one time impacting an unknown number of people. This must also be within a “reasonable time”, but not more than 60 days after discovering the breach.

Where less than 500 individuals are affected, the HIPAA Breach Notification Rule permits covered entities to make an annual report no later than 60 days following the end of the calendar year when breaches were discovered.

Business Associate Notification

If a HIPAA breach occurs as a result of a business associate, then they must notify the covered entity within a reasonable time and in no case not more than 60 days after discovery of the breach.

HIPAA Breach Notification Should Include

For individual and media notices, the notification must include:

• A brief description of what happened, including the date of the breach and the type of information that was compromised
• Contact information for whom to ask questions about the breach and how to receive further notice
• The notification must include a description of the nature of the breach, the number of individuals affected and what steps have been taken to mitigate any harm.

Where a business associate is notifying a covered entity, they must:

• Identify each individual affected by the breach.
• Provide any other information in their possession that the covered entity would require to notify affected individuals.

When notifying the Secretary of the HHS, covered entities should complete an online breach report form for 500 or more Individuals or fewer than 500 Individuals.

What Is the Correct Order of Steps that Must Be Taken if there Is a Breach of HIPAA Information?

• Step 1: Take urgent incident response/mitigation actions
• Step 2: Gather evidence
• Step 3: Analyze the breach
• Step 4: Take containment, eradication and recovery measures
• Step 5: Notify individuals, media, or the HHS Secretary as the case may be
• Step 6: Conduct post-incident analysis to prevent a recurrence

Do all HIPAA Breaches Need to be Reported?

Other than the three exceptions listed above, all HIPAA breaches must be reported. In addition, covered entities have certain administrative and burden of proof requirements in managing breach notifications.

They must show that all required notifications have been made or that using or disclosing unsecured protected health information did not result in a breach.

As a result, to support an impermissible use or disclosure, a covered entity (or business associate) should retain documentation showing that all required notifications were made or provide evidence demonstrating that no notification was needed.

Understanding Your Responsibilities – Free eBook

HIPAA Breach Notification Rules are important because it’s the HIPAA-covered entity’s responsibility to notify individuals, media, and HHS about a data breach.

In addition, for HIPAA breaches not to occur, HIPAA-covered entities should have an up-to-date risk assessment process in place that identifies potential risks of HIPAA violations, as well as policies and procedures related to securing protected health information.

For more information, read our free eBook to understand your obligations under the HIPAA Breach Notification Rule fully.