What are the HIPAA Breach Notification Requirements?

The HIPAA breach notification requirements are the processes and procedures that must be followed by a HIPAA covered entity (and, in some cases, by a HIPAA business associate) when unsecured Protected Health Information in any format is disclosed impermissibly. The Department of Health and Human Services (HHS) has published guidance about determining when an impermissible disclosure constitutes a breach, and the information below is assembled from the standards published by HHS in Part 164 Subpart D of the HIPAA Administrative Simplification Regulations.

When a reportable HIPAA breach occurs, the covered entity and its business associates need to comply with the notification requirements set forth in the HIPAA Rules. Here’s a summary of the breach notification requirements:

1.       Notify the individuals who were impacted or potentially impacted by the data breach.

Each person must be sent a notification letter within 60 days of the breach discovery. Breach notifications may be delayed when law enforcement has granted a request to delay notifications.  Notification letters should be sent via first class mail to the breach victims’ last known address. Notification can be sent via email if concerned individuals have given proper authorization.

The notification letters should be written in plain language and should include:

• an explanation of what happened
• the information exposed or stolen
• the response or corrective action taken by the covered entity
• the summary of actions that will be taken to avoid future breaches
• the advice on what breach victims can do to limit potential harm
• the breached entity’s toll-free number, postal address and email address for further information  

2.       Notify the Department of Health and Human Services via the Office for Civil Rights Breach Reporting tool.

When the number of individuals impacted by a breach is more than 500 persons, notification to the HHS must issued without unnecessary delay within 60 days from the discovery of the breach. When the impacted individuals  is no more than 500, the notification should be issued within 60 days of the end of the calendar year when the breach was discovered.

3.       Notify the media if the breach involved the unsecured PHI of more than 500 individuals.

Failure to notify the media is a violation of the HIPAA Breach Notification Rule. Covered entities must report the breach to the prominent media outlets in the breach victims’ state and area of residence. This requirement ensures that all breach victims, especially those lacking up-to-date contact information, are made aware of the potential exposure of their sensitive data. Media notification should be issued within 60 days of breach discovery.

4.       Post a Substitute Breach Notice on the Covered Entity’s Website

If 10 or more breach victims do not have up-to-date contact information with the covered entity, it is required to have a substitute breach notice posted on the covered entity’s website for 90 consecutive days. If fewer than 10 breach victims lack up-to-date information, a substitute notice like a written notice or telephone notice is enough.

For business associates of HIPAA-covered entities, when a breach of unsecured PHI occurs, it must be reported to the covered entity without unnecessary delays up to 60 days from the breach discovery. The covered entity will issue the notifications to individual victims, so it will need details form the business associate. Breach notifications should be issued rapidly, the complete details can follow when the investigation is complete. The terms of a HIPAA-compliant business associate agreement (BAA) may require the business associate to issue the notifications to the impacted persons.