A Summary of the HIPAA Breach Notification Rule

The Health Insurance Portability and Accountability Act, commonly know as HIPAA, has probably been the most significant set of regulations to impact the healthcare industry since it first came into law in 1996. Despite this, there are still a number of insurers and healthcare providers that do not fully understand their requirements under HIPAA, especially the actions required by them under the HIPAA Breach Notification Rule.

Insurers and healthcare providers have recently come under fire following their reactions to data breaches and the time it took them to notify affected patients that data had been lost or divulged to unauthorized persons.

To assist covered entities in fulfilling their obligations under HIPAA and notifying affected individuals more quickly, particularly in light of the recent increase in data breaches, we have compiled a summary of the HIPAA Breach Rule’s key points.

A Summary of the HIPAA Breach Notification Rule

Covered entities and healthcare providers must comply with HIPAA regulations to limit the risks of divulging patient information. Even when robust security measures are in place, unauthorized persons can still gain access to data. The Pentagon’s Twitter account was recently hacked, which just goes to show how vulnerable digital systems can be to attack.

Should a data breach occur at your organization, the scale of the breach and type of data released determine the correct response to take.

Breaches Affecting More Than 500 People

Data breaches that divulge the PHI of 500 individuals or more must be reported to the Department of Health and Human Services’ Office for Civil Rights “without unreasonable delay” and within 60 days of discovering the breach. Reports should be made through the OCR Breach Portal. All individuals impacted by the breach must also be notified by Breach Notification Letters as outlined below.

Issuing Notifications of Breaches to the Media

A prominent media source which serves the state where the affected individuals are located must be alerted when breaches occur that affect more than 500 people. They must be alerted within 60 days of discovering the breach.

Posting of Breach Details to the Company Website

Not all breaches are required to be visible on the company website, however in cases where ten or more people cannot be contacted as a result of incomplete or out of date contact information, there is an option to to either publish information of the breach in a prominent position on the website for 90 days or to publish the information through major broadcast or print media. The company must also provide a toll free telephone number which affected individuals can use to contact for them more information.

Breaches Affecting Fewer Than 500 People

Where breaches occur that affect fewer than 500 people, a notification must be sent to each person without unreasonable delay and within 60 days of discovering the breach. Small scale breaches do not require media notification, even if sensitive data such as Social Security numbers have been divulged.

Breaches affecting fewer than 500 people must still be reported to the Department of Health and Human Services’ Office for Civil Rights, however there is a much longer reporting period allowed. The notification must be made within 60 calendar days after the start of the following year. This means, for example, that a breach that took place on January 1, 2017, would only need to be reported to the Office before March 2, 2018.

Business Associates Responsible for Data Breaches

If a Business Associate discovers that they have caused a PHI breach, their associated covered-entity must be notified within 60 days of discovering the breach. The affected individuals should be identified in-so-far-as-possible, as well as the data that was divulged.

Issuing Breach Notification letters

Should a breach occur, covered entities and business associates must notify the impacted people that their PHI was released and also how the breach occurred; via a hack; a lost or stolen laptop or smartphone; or other device containing unencrypted PHI. Documents, x-rays, and other physical copies of PHI are also covered by the HIPAA Breach Notification Rule and if any of these are lost, stolen, or divulged, the affected people must similarly be notified.

If individuals have not indicated that they are willing to receive communications by email, then Breach Notification Letters must be sent as first class mail items. Otherwise, email can be used to notify of PHI breaches. However the notification is sent, electronically or physically, the same information must be included: details of the breach, which information may have been accessed or released, a summary of the company’s response to the breach, details of action being taken to reduce harm or losses caused by the breach, and courses of action people can follow to reduce risk.

These letters must be sent in cases where the covered entity has evidence that PHI has been accessed or may have been accessed. Letters can be sent before risk assessments have concluded or have begun, but choosing to not send Breach Notification Letters can only be done following the completion of a robust risk assessment study. Such an assessment must examine:

  • What kind of data has been exposed and how likely an individual is to be identified from this data
  • Who accessed the data and who they may have shared it with
  • The likelihood that PHI could be accessed, viewed, or transferred
  • The degree to which any potential harm has been reduced

Should a mobile device or computer be misplaced or stolen, the event is only deemed a HIPAA breach warranting Breach Notification Letters if the PHI stored on the device or that can be accessed through the use of the device is unencrypted. In the event where encrypted devices are lost or stolen, letters are only required if the security key has also been lost or taken.

It should be noted that data protected by passwords is not the same as data that has been encrypted. If the data is only protected by passwords, Breach Notification Letters must be sent.

Documentation of Actions Taken

Covered entities are required to log all actions taken in the wake of a breach in case they are requested by OCR auditors. To comply with the Breach Notification Rule, the details of the any sent Notification Letters must be noted, as well as proof that the letters were actually sent.

Should it be judged that the issuance of Breach Notification Letters is not required, documentation and information to justify this course of action must be available.

Penalties for Violating HIPAA Breach Notification Rule

If no Breach Notification Letter has been sent once a period of 60 days following the discovery of the breach has passed, this constitutes a HIPAA Breach Notification Rule violation and may lead to sanctions from the OCR or state Attorneys General. Non-compliance carries a maximum penalty of $1.5 million per category violation per calendar year.

Even in cases where the 60 day period following discovery has not elapsed, any unnecessary delay in issuing Breach Notifications is a violation of the HIPAA Breach Notification Rule and may lead to sanctions. The HIPAA Breach Notification Rule states that notifications must be issued “without unreasonable delay”.

One such case where a company was fined due to delaying the issuance of a Breach Notification occurred in 2017. Despite discovering a breach on October 22, 2013, Presense Health did not notify the OCR until January 31, 2014 – over 100 days after the discovery and over 40 days past the 60 day limit. OCR opened a case against Presense Health which was settled for $475,000.

Further Information on the HIPAA Breach Notification Rule

Further information can be found on the HHS website.