HIPAA Breach! What now?
Breaches of protected health information (PHI) can range from minor incidents, such as accidentally disclosing a patient’s contact details to major events like the recent ransomware attack on Change Healthcare. Given the potential impact of such breaches, it’s crucial to understand the Health Insurance Portability and Accountability Act’s (HIPAA) notification requirements. Whether the breach is minor or major, the U.S. Department of Health and Human Services (HHS) provides clear instructions to guide your next steps, ensuring that you respond appropriately and promptly to protect affected individuals and comply with legal obligations.
What is a Breach?
A breach is an unauthorized use or disclosure of PHI that compromises its security or privacy, as defined by the Breach Notification Rule. A risk assessment determines if a breach has occurred by evaluating:
- The nature and extent of PHI involved
- The unauthorized individual who accessed the PHI
- Whether the PHI was actually viewed or acquired
- The mitigation efforts by the covered entity (including home care agencies) or business associate
- If a covered entity cannot demonstrate a low probability that PHI has been compromised, it is presumed to be a breach.
Exceptions include:
- Unintentional access or use of PHI by an employee or authorized individual within their scope of authority
- Disclosure of PHI to an individual authorized to access PHI in general
- Good faith belief that the unauthorized person could not access or retain the PHI
Notification Requirements
When a breach occurs, the covered entity must notify the compromised individual, HHS, and sometimes the media.
Individual Notification
Individuals must be notified without unreasonable delay, and no later than 60 days after the breach discovery. The notification should include:
- A brief description of the breach
- Types of information involved
- Steps individuals should take to protect themselves
- What the covered entity is doing to investigate the breach
- Contact information for the covered entity
Notifications must be sent via first-class mail or email if the individual has agreed to electronic notices. If unable to contact 10 or more individuals, the entity must post the notice on its website for 90 days or use local media. A toll-free contact number must be provided for at least 90 days.
If a business associate is responsible, they must notify the covered entity within 60 days, and the covered entity must then notify the affected individuals.
HHS Notification
For breaches affecting 500 or more individuals, HHS must be notified without unreasonable delay and no later than 60 days after discovery. For breaches affecting fewer than 500 individuals, notification is required annually, no later than 60 days after the calendar year ends.
HHS maintains a list of recent HIPAA breach cases on its website. The post lists over 900 breaches reported within the last 24 months that are currently under investigation by the Office for Civil Rights.
Media Notification
For breaches affecting 500 or more individuals, notice must be given to prominent media outlets in the affected region. This can be in the form of a press release and must include the same information provided to individuals, issued without unreasonable delay but no later than 60 days after discovering the breach.
HCP Support
HCP encourages all members who are covered entities under HIPAA to review their breach response protocols before a breach happens. If you aren’t sure if you are a covered entity, the Centers for Medicare and Medicaid Services (CMS) has a helpful tool and a wealth of resources to aid you in being HIPAA compliant. Simply put, if you submit health services claims, you are a covered entity.
Note that business associates of covered entities also must be HIPAA compliant. See the above tool for more information.