No matter how prepared an organization is for potential cyber threats, there is still a chance for a data breach. A “data breach,” according to the Health Insurance Portability and Accountability Act (HIPAA) is, “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information” (US Department of Health and Human Services ).
Impermissible use or disclosure essentially means protected health information (PHI) being public or seen by those who aren’t supposed to have access. When something like this occurs, it’s typically considered a breach, which is where the Breach Notification Rule of HIPAA comes into play. The moment an organization realizes PHI data is exposed, it is their responsibility to notify all affected parties and follow all parts of the HIPAA breach rules (45 CFR §§ 164.400-414).
Ignoring this rule puts patient data at greater risk and results in costly violation fines and penalties. HIPAA violations range from $100 to $50,000 per violation with a maximum of $1.5 million per year.
Breach Notification Rule
HIPAA’s breach notification rule is intended to promote transparency and clarity when private data is mishandled or stolen. In addition to a clear definition of what constitutes a breach, the bill also outlines situations that are not considered breaches, including:
- Unintentional use by individuals under the covering of the entity storing PHI (as long as the information was not further compromised and accessed in good faith).
- Inadvertent disclosure between one member of the entity storing the protected information and another member of the same organization (as long as the data is not further used and/or exposed).
- “A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.”
Performing a HIPAA Breach Notification
There are three separate notifications any entity affected by a breach may need to issue:
- the individuals affected
- the media
- the Secretary of HHS
Note: In the event that law enforcement believes a breach notification would hinder an investigation, timelines and potentially the notifications given may change.
Notifying Individuals of a Breach
Any entity suffering a data breach of PHI is required to notify every individual affected. The notification should take place within 60 calendar days from when the breach was first discovered (except when law enforcement investigations are in progress).
Required Elements of an Individual’s Breach Notification
There are five required elements laid out in section 45 CFR § 164.404 of the law. They include:
- A description of the breach (dates, what happened, etc.)
- Types of data included in the breach
- Steps individuals should take
- Describe actions being taken by the entity concerning the breach
- Contact details which must include a toll-free phone number, email, website, or mailing address.
Note: The entire notification is required to be in “plain language.” In other words, language that’s easily understood by a layperson, without industry or legal jargon.
All this information is sent to every individual’s last known mailing address via first-class mail. If individuals have agreed to electronic communication, an email delivery is acceptable.
Notification of the Media
When a breach affects more than 500 people in a certain state or jurisdiction, the media must be notified ( 45 CFR § 164.406). Elements of this notification should follow the same guidelines outlined in the individual notification section of the bill.
Notification of the HHS Secretary
There are two ways in which HHS may be notified of breaches.
- Breaches Over 500: For larger breaches, the same requirements for media and individuals are in effect, including the elements of the notification itself.
- Breaches Under 500: Any breach with fewer than 500 individuals will need to keep a log of the incident (and any others). This log will then be reported to the HHS secretary once per year.
Preparing for a Breach
No one wants a breach to occur. However, it’s best practice to be prepared in case of the event patient data is compromised. There are several things a provider should do in preparation:
- Review the law: Reading the actual law and consulting with an expert about it is great preparation before a breach occurs.
- Train employees: Privacy is everyone’s responsibility and the legal requirements should be known by all. In the event of a breach, one of an entity’s employees could be the one to discover that data is compromised. They should be trained to know what to do.
- Create a plan: Putting together a response plan, including delegating responsibilities would decrease confusion if an event occurs.
Preparing for a breach, even with the most secure data protection software and policies, will allow for minimal interruption and full compliance with the law. Every organization who falls under HIPAA should consider their plan in the event of a data compromise.