The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that protects sensitive patient data from unauthorized access or disclosure. It focuses on the security and privacy of Protected Health Information (PHI), which includes 18 identifiers that can tie a healthcare record to a specific patient. Since this information could negatively impact patients, especially if it falls into the wrong hands, HIPAA requires all “covered entities” and their business associates to protect its integrity and confidentiality.
The Breach Notification Rule requires all covered entities to identify and notify a breach when there’s an impact on the privacy and security of a PHI. Moreover, HIPAA imposes stringent fines of thousands of dollars if the violation is deemed due to wilful neglect.
In this article, we will look into the steps involved in reporting and mitigating these breaches under HIPAA.
But before that, we’ll look into what constitutes a breach under HIPAA.
What is a Breach?
A breach is an impermissible use or disclosure of PHI that can impact the security and privacy of the concerned patient. However, the responsibility is on the covered entity or its business associates to prove that the breach was of low impact and will not have negative implications for an individual.
The following four factors are useful for evaluating the risks associated with a breach:
- The types of identifiers in a PHI and their potential to identify a patient.
- The unauthorized person who had access to the PHI.
- The actual viewing of the PHI.
- Measures that were taken to mitigate the impact.
Based on these aspects, a covered entity can determine the impact of a breach. Also, the disclosed PHI must be unsecured, which means no encryption or other technical controls are available to make it unreadable. In other words, if the disclosed PHI was encrypted, it does not constitute a breach.
Moreover, the below three exceptions do not constitute a breach:
- If an employee of a covered entity or its business associate had accessed the PHI, and if it was within the scope of authority and required to perform the employee’s work duties.
- When the PHI was transmitted from one business associate to another business associate of the same covered entity. However, the further usage of PHI must be according to HIPAA’s Privacy and Security rules.
- If the unauthorized recipient of the PHI cannot retain the information.
If the covered entity can prove any of these exceptions, no further action is necessary.
However, if the disclosed PHI does not meet any of the above guidelines, the covered entity and the business associate involved must report it.
Breach Notifications
In case of a breach, the covered entity must notify the individual patient who was affected, the media provided the breach impacts more than 500 residents in a jurisdiction, and the Secretary. Let’s dive into the rules for each notification.
Notice to Individuals
Covered entities must inform the concerned patients whose PHI was impacted. This notification must be in written form and sent by first-class mail. Alternatively, if the patient had opted to receive electronic communication through email, the covered entity must email this information to the provided ID.
Suppose the covered entity does not have the right contact information for 10 or more impacted individuals. In that case, a general notice must be posted on the entity’s website for 90 days and, it must also send a notice to a major media outlet operating in that jurisdiction. Also, a toll-free number must be made available for 90 days to enable patients to know if their record was breached.
These individual notices must be sent within 60 days from the date on which the breach was discovered.
The notification must include:
- A brief description of the breach.
- Description of the information involved in the breach.
- Steps the individual must take, like changing their password.
- A brief description of what the entity is doing to mitigate the damage and to prevent further breach.
- Contact information of the covered entity and business associates, where required.
Notice of Media
When the breach involves more than 500 patients within a state or jurisdiction, you must provide a notice to media outlets serving that area. Like the individual notice, this media notice must also be sent within 60 days.
Notice to the Secretary
Besides notices to individuals and the media, covered entities must also notify the Secretary. To do this, head to the HHS website and fill out the form. If the breach exceeds 500 individuals, the Secretary must be informed within 60 days. Otherwise, the breach can be a part of the annual breach report.
Note that if the breach occurs at the premise of a business associate or happens due to this entity’s negligence, the covered entity and this business associate must follow the reporting procedures.
Thus, these are the steps to follow if there’s a breach in your organization that impacts PHIs.
Final Words
In all, HIPAA has specific rules for notifying breaches to the concerned patients and authorities. Moreover, the covered entities must take appropriate measures to mitigate the impact of these breaches. In this article, we looked at the steps you must take when you identify a breach. We hope this information helps with compliance.