According
to the HIPAA Breach Notification Rule, all covered entities and their business
associates are required to report any breach of protected health information.
It is essential to understand and implement all breach notification
requirements or risk incurring financial penalties as high as $1,500,000 from
state attorneys general and the HHS’ Office for Civil Rights.
What is a Breach? A data breach is defined as the
impermissible use or disclosure of protected health information. Breaches
include unauthorized access by employees and third parties, improper
disclosures, the exposure of protected health information, and ransomware
attacks.
What are the HIPAA Breach Notification
Requirements?
Below
is a summary of the HIPAA breach notification requirements for covered entities
and their business associates in the event of a breach:
Contact Individuals Impacted
- Any
person who has had their protected health information accessed, used, or
disclosed impermissibly must be notified of the breach.
- Any
individual who may potentially have been affected by the breach must also be
informed of the breach.
- Breach
notification letters must be sent within 60 days of the discovery of a breach.
- Written
notice of the breach must be submitted by first-class mail, or by e-mail if the
affected individual has agreed to receive such notices electronically.
- The
notification must include a brief description of the breach, including the
types of information that were involved in the breach, the steps affected
individuals should take to protect themselves from potential harm, a
description of what the covered entity is doing to investigate the breach,
mitigate the damage, and prevent further breaches, as well as contact
information for the covered entity (or business associate, as applicable).
- Breach
victims should also be provided with a toll-free number, postal address, and
email address to contact the breached entity for further information.
Contact the Department of Health and Human
Services
- Covered
entities must notify the Secretary of the Department of Health and Human
Services, of any breaches of unsecured protected health information.
- Covered
entities will notify the Secretary by visiting the HHS website and filling out
and electronically submitting a breach report form.
- If
the breach affects more than 500 people, the notification to the HHS must be
sent before 60 days from the discovery of the breach.
- If
the breach affects fewer than 500 individuals, the covered entity may notify
the HHS no later than 60 days after the end of the calendar year in which the
breach was discovered.
Inform the Media
- Covered
entities that experience a breach of over 500 individuals are required to
provide notice to the prominent media outlets serving the jurisdiction.
- The
notification can be in the form of a press release to appropriate media outlets
serving the affected area and must be provided no later than 60 days following
the discovery of the breach.
Post a Breach Notice
- Covered
entities are required to upload a substitute breach notice to their website and
link to the notice from the home page if they do not hold the correct contact
information for 10 or more individuals affected by the breach. (The link to the
breach notice should be displayed prominently and should remain on the website
for a period of 90 consecutive days.)
- If
the covered entity has insufficient contact information for fewer than ten
individuals, the covered entity may provide substitute notice by an alternative
form of written notice, by telephone, or other means.
Business Associates
- Business
associates must provide notice to the covered entity without unreasonable delay
and no later than 60 days from the discovery of the breach.
- Business
associates should provide the covered entity with the identification of each
individual affected by the breach as well as any other available information
required to be provided by the covered entity in its notification to affected
individuals.
- Business
associates must also comply with all of the HIPAA breach notification
requirements and can be fined directly by the HHS’ Office for Civil Rights and
state attorneys general for a HIPAA Breach Notification Rule violation.
State Breach Notification
- U.S.
states have their own breach notification laws.
- Typically,
a notice must be submitted to the state attorney general’s office. Some states
require breach notifications to be issued well within the HIPAA deadlines.
- It
is essential to stay up to date on your local state breach notification laws.
The three exceptions include:
- The
first exception applies to the unintentional acquisition, access or use of PHI
by a workforce member or person acting under the authority of a covered entity
or business associate if the activity was done in good faith and within the
scope of authority.
- The
second exception applies to inadvertent disclosure of PHI by a person with
authorized access.
- The
third exception applies if the covered entity or business associate has a
legitimate belief that the unauthorized person who whom the impermissible
disclosure was made would not have been able to retain the information.
For further
information or assistance on breach notification requirements, contact the
experts at MedSafe for a free consultation. MedSafe is the nation's leading
one-stop resource for outsourced safety and health compliance solutions in healthcare.
Toll-free: (888) MED-SAFE
www.medsafe.com
References:
https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
https://www.hipaajournal.com/hipaa-breach-notification-requirements/