Despite the Health Insurance Portability and Accountability Act of 1996 being one of the most vital pieces of legislation to affect the healthcare sector, many healthcare providers and insurance companies are unfamiliar with HIPAA requirements, specifically those that refer to the HIPAA Breach Notification Rule.
There has been major criticism of healthcare suppliers and insurers in recent months in relation to the speed at which individuals harmed by data breaches are alerted that their healthcare data and personal information has been obtained, lost or divulged to an unauthorized person.
Due to this, and given the rise in the amount of HIPAA data breaches recently, we have completed a summary of the important facets of the HIPAA Breach Notification Rule to assist healthcare organizations respond faster to data breaches and remain HIPAA-compliant.
HIPAA Breach Notification Rule Summary
HIPAA Rules set standards which healthcare groups and other covered bodies must adhere with in order to minimize the potential for patient data being accessed improperly; however even with the most intricate of data security systems, it is still possible for unauthorized people to access computer systems. A quick look at the recent hack of the Pentagon’s Twitter account shows that no group is immune to attack.
If your organization has been inflicted with a data breach, the measures that must be taken depend on the specific nature of the data breached and the number of people affected:
HIPAA Breaches Affecting More than 500 Individuals
If a HIPAA data breach occurs which exposes the PHI of more than 500 people, the Department of Health and Human Services’ Office for Civil Rights (OCR) must be alerted “without unreasonable delay”, and certainly in less than 60 days following discovery of the breach. The report should be submitted via the OCR Breach reporting web portal. Breach Notifications must also be mailed to all affected people – see the section below.
Releasing Notification of the Breach to the Media
A major media source serving the state in which those affected by the breach are located must be advised of a data breach affecting more than 500 individuals, and that notice must be sent less than 60 days after discovery of the breach.
Company Website Posting of Breach Details
While it is not required to post information relating to the breach on the company website for all violations, if more than 10 individuals cannot be alerted due to incomplete contact information or if there is out of date contact details, a notice must be posted prominently on the company website for a duration of 90 days, or if this method of notification is not selected, the organization must publish the information via major print and broadcast media. A tollfree telephone number must also be supplied to enable breach victims to contact the group with any questions.
HIPAA Breaches Affecting Fewer than 500 Individuals
HIPAA data breaches involving less than 500 individuals require alerts to be sent to all affected people without unreasonable delay, and within 60 days of the identification of the breach. The media does not need to be advised of these small-scale data breaches, even when they include the compromising of Social Security numbers and healthcare information.
The Department of Health and Human Services’ Office for Civil Rights (OCR) must be told of all sub-500-record data breaches in less than 60 days from the start of the new calendar year. I.e. data breaches happening on January 1 would not need to be reported to the OCR until March 2nd of the subsequent year.
Business Associates Responsible for HIPAA Data Breaches
Any Business Associate that finds they have caused a breach of PHI must alert the covered entity of the incident no later than 60 days after the identification of the breach. Efforts should be made to find the individuals harmed as well as the data that was compromised in the breach.
Sending of Breach Notification Letters
When a HIPAA breach does happen, all covered entities, including their Business Associates, must to notify all affected people that their Protected Health Information has been accessed or exposed, whether it was due to a hacking attack, a lost laptop or Smartphone, or any other device that stored unencrypted PHI. The HIPAA Breach Notification Rule also applies to paper trails, x-ray films and all other physical records including PHI. The loss, theft or disclosure of these details also obligates that the affected individuals to be alerted.
Breach notification letters must be issued using first class post, although in instances where individuals have agreed to receive correspondence via email, this is an acceptable means of communication. The notification letters – or emails – must incorporate details of the breach, the information that was possibly exposed, a description of the steps taken by the company in reaction to the breach, information on the attempts made to mitigate damage or loss and the actions which can be taken by individuals to minimize risk.
HIPAA Breach Notification letters must be issued if the healthcare supplier, Health Plan, Business Associate or other covered body can show that there is a danger that PHI has been accessed, or could potentially be accessed. Breach notification letters can be sent without a risk assessment having first been completed, although the option not to send notification letters should only be taken after a thorough risk assessment has been completed. This must include these points:
- The variety of data exposed and the chance of a patient or plan member being identified from the data
- The person who has obtained the data /information and to whom they have given the information
- The potential of PHI being accessed, viewed and/or disclosed
- The extent to which any potential damage has been lessened
If a portable device or desktop computer has gone missing or being taken illegally, it is only considered a HIPAA breach – and therefore only necessitates breach notification letters to be issued – if the PHI held on the device, or accessible through it, is unencrypted. In the event of loss or theft of encrypted devices, breach notification letters only need to be transmitted if the security key was also lost or taken.
N.B. Password protection is different to data encryption. In the event of loss or theft of devices holding password protected PHI, breach notifications will still need to be transmitted.
Record of Steps Taken
All covered entities must have a record of the steps taken following a HIPAA breach, as these may be requested by OCR auditors. The HIPAA Breach Notification Rule requires information regarding the breach notification letters that have been sent to be recorded, along with proof that they have indeed been issued.
If breach notification letters are thought not to be needed, the reason for this decision, along with proof to support it, must be recorded.
HIPAA Breach Notification Rule Violations Penalties
Failure to issue breach notification letters in less than 60 days of the discovery of a breach is a violation of the HIPAA Breach Notification Rule and can see a penalty from OCR and state attorneys general being applied. The highest penalty for non-compliance is $1.5 million, per violation category, per calendar year.
While the HIPAA Breach Notification Rule requires that notifications must be issued in less 60 days from the discovery of a breach, unnecessarily delaying breach notifications is also a violation of the HIPAA Breach Notification Rule and could result in a financial penalty. The HIPAA Breach Notification Rule stipulates that notifications must be transmitted “without unreasonable delay.”
The OCR, in 2017, took steps to pursue a case against Presense Health for delaying the sending of breach notification correspondence. Presense Health identified the HIPAA breach on October 22, 2013, yet OCR was alerted on January 31, 2014 – longer than a month after the 60-day HIPAA Breach Notification Rule deadline had ended. Presense Health settled the case for the HIPAA breach for $475,000.
HIPAA Breach Notification Rule Additional Information
For more detailed information on the HIPAA Breach Notification Rule visit the HHS website.