Hipaa Breach Notification Rule: Guidelines and Procedures

The HIPAA Breach Notification Rule is a crucial aspect of healthcare data protection. The rule requires covered entities to notify individuals, the media, and the Department of Health and Human Services (HHS) in the event of a breach.

A breach is defined as the unauthorized disclosure, use, or acquisition of protected health information (PHI). The rule applies to breaches of 500 or more individuals.

Entities must notify individuals affected by the breach without unreasonable delay and in no case later than 60 days after discovery of the breach.

The HIPAA Breach Notification Rule is a set of standards that require covered entities and their associates to inform individuals whose information might have been leaked. This rule is found in Sections 164.402-414 of the Code of Federal Regulations (CFR).

The main goal of the Breach Notification Rule is to protect individuals by allowing them to take steps to protect themselves from potential identity theft or fraud. This can include monitoring their credit reports or placing a freeze on their accounts.

To achieve this goal, the rule mandates that patients whose information is exposed have the right to be informed about it. This notification allows them to take action and protect themselves.

The rule also increases accountability by requiring covered entities and business associates to report breaches. This encourages them to prioritize data security and take measures to prevent breaches from happening in the first place.

Here are the key steps involved in the Breach Notification Rule:

The HHS’s Office for Civil Rights (OCR) investigates violations to the rule, and they tend to prioritize breach cases involving 500+ patient records.

If a security incident occurs, it's essential to report it to the right people right away. All security incidents involving System Administration Electronic Information Security Resources, including data, that may involve Sensitive Personal Data or PHI (collectively Protected Data) should be reported to the System Administration Information Security Officer. This report must be made in addition to any reporting required in the System Administration's information security policies or other applicable policies.

The ISO must report all such incidents to the HIPAA Privacy Officer immediately. If the ISO is absent, the ISO's designee must report it instead. The ISO must also notify the Chancellor without delay of any reported security incident involving Protected Data in electronic form that, upon preliminary investigation, could constitute a breach involving 200 or more individuals.

Each office or department within System Administration must require its workforce members to immediately report any incident upon discovery to the Privacy Officer or System Administration's Information Security Officer, as applicable. They must not conduct internal investigations prior to or delay timely notification of the Privacy Officer or System Administration's Information Security Officer.

Here's a summary of who needs to be notified and when:

Notification Procedures are a crucial part of the HIPAA Breach Notification Rule. You have 60 days to notify individuals after discovering a breach of unsecured protected health information (PHI).

The notification must be provided promptly and in clear, understandable language. It should include a concise description of the incident, detailing the dates of the breach and discovery (if known) alongside the types of unsecured PHI involved.

A written notice is the preferred method of notification, sent by first-class mail to the individual's last known address. Electronic notification can be used if the individual has previously agreed to receive communications electronically.

If the covered entity has outdated or insufficient contact information for individuals, a substitute form of notice should be used. This includes alternative methods like certified mail, phone calls, or other reasonable means for breaches affecting fewer than 10 individuals.

For breaches impacting 10 or more individuals, substitute notice requires a toll-free phone number that remains active for at least 90 days.

In urgent situations, additional notification can be provided by phone or other appropriate means on top of the standard written notice.

Here's a summary of the notification methods:

The notification must also include contact information for inquiries or further details, including a toll-free phone number, email address, website, or mailing address. This contact information should remain active for at least 90 days.

Remember, notification is not just about informing individuals, but also about taking responsibility for the breach and providing support to those affected.

Exceptions and Exemptions are crucial to understanding the HIPAA Breach Notification Rule. The rule acknowledges that not all incidents of unauthorized access or disclosure of PHI constitute a breach.

There are three breach exceptions that fall under the definition of a breach, yet HHS extends grace to them. These exceptions are unintentional access or use of PHI by an employee, made in good faith and within the scope of their authority, accidental disclosure of PHI between authorized persons, and the organization confidently believes that the person who obtained or accessed the PHI will not retain or compromise the data.

Here are the three breach exceptions in a concise list:

These exceptions can be a huge relief for covered entities, as they can help avoid costly and time-consuming notifications.

Exceptions can be a game-changer for covered entities and business associates under HIPAA. There are three scenarios that don't qualify as a breach, giving them a free pass.

The first exception occurs when an authorized individual unintentionally accesses or uses PHI within the scope of their duties, without further disclosing it improperly. This can happen when someone mistakenly opens an electronic medical record while searching for a patient's file.

The second exception applies when PHI is inadvertently disclosed to another authorized person within the same covered entity or business associate, and the information is not further disclosed improperly. For example, a nurse might forward lab results to another doctor in the hospital, who promptly notifies the nurse and deletes the email.

Inability to retain PHI is the third exception, which occurs when a covered entity reasonably believes that an unauthorized recipient would not have been able to retain PHI. This can happen when a hospital mistakenly sends discharge paperwork to the wrong address, but the package is returned unopened by the postal service.

Here are the three exceptions in a nutshell:

In cases where a HIPAA-covered entity is unsure whether PHI has been compromised, a proper risk assessment must be conducted to determine if there's a "low probability" of compromise.

The HHS specifies four factors to be evaluated in this assessment. The first factor is the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.

The unauthorized person who used the PHI or to whom the disclosure was made is also a crucial factor to consider. This could be an individual or an organization.

The third factor is whether the PHI was actually acquired or viewed. If the PHI was only accessed but not viewed or acquired, the risk may be lower.

The extent to which the risk to the PHI has been mitigated is the fourth and final factor to be evaluated. This could be due to encryption, secure storage, or other measures taken to protect the PHI.

Here are the four factors to be evaluated in determining the "low probability of compromise" condition:

A business associate is responsible for notifying a covered entity about a data breach involving unsecured ePHI as soon as possible, but no later than 60 days after discovering it.

If a business associate discovers a breach, they must notify the covered entity about it, even if it was caused by one of their employees, officers, or agents.

The business associate must attribute knowledge of the breach to themselves, even if it was caused by someone else, if any of their employees, officers, or agents were aware of it or should have reasonably been aware with proper effort.

A business associate must provide the covered entity with a list of affected individuals, if possible, which means identifying everyone whose unsecured PHI may have been accessed, acquired, used, or disclosed during the breach.

The business associate should also provide the covered entity with any other relevant information they have that the covered entity would need to notify affected individuals under the Breach Notification Rule.

Here's a summary of the steps a business associate must take:

After the business associate provides the necessary information, the covered entity is responsible for complying with the Breach Notification Rule, which includes notifying affected individuals, notifying HHS, and potentially contacting the media.

The timeline for reporting a breach under the HIPAA Breach Notification Rule is crucial to avoid fines from the OCR. Covered entities must send notifications to affected individuals within 60 days of discovery of the breach.

If a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security, the notification can be delayed. However, this delay must be documented in writing and acknowledged by the requesting law enforcement authority.

The burden of proof falls on the covered entity or business associate to demonstrate that all notifications were made as required under the HIPAA Breach Notification Rule. This includes evidence demonstrating the necessity of any delay.

Here's a summary of the timeline for reporting a breach:

Under the Breach Notification Rule, covered entities have to keep in mind that they are responsible for understanding HIPAA-related breaches.

Covered entities have to keep in mind that they are responsible for complying with the Breach Notification Rule in the event that their organization faces a PHI breach.

The Breach Notification Rule requires covered entities to understand the technicalities of the rule, including the requirements of the Breach Notification Rule.

To comply with the rule, covered entities need to be aware of the importance of the Breach Notification Rule in protecting PHI.

Understanding HIPAA-related breaches is crucial for covered entities to comply with the Breach Notification Rule and avoid any potential consequences.

To avoid a fine from the OCR, healthcare providers must send notifications to affected individuals within 60 days of discovery of the breach.

The rule specifies that breached organizations shouldn't have an unreasonable delay in notifying affected parties.

Notifications to affected individuals must be sent without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.

The vendor of personal health records, PHR related entity, and third party service provider involved shall have the burden of demonstrating that all notifications were made as required under this part.

If a law enforcement official determines that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed.

The delay must be implemented in the same manner as provided under 45 CFR 164.528(a)(2), in the case of a disclosure covered under § 164.528(a)(2).

Notifications to the Federal Trade Commission must be provided contemporaneously with the notice required by the rule, involving the unsecured PHR identifiable health information of 500 or more individuals.

When a breach occurs, timely notification is crucial. All security incidents involving System Administration Electronic Information Security Resources must be reported to the System Administration Information Security Officer immediately.

The ISO must then report the incident to the HIPAA Privacy Officer within the same timeframe. This report must be made in addition to any other reporting required by System Administration's information security policies.

System Administration's offices of the Chancellor and Public Affairs must receive advance notice prior to notification of affected individuals, the System Administration community, the media, or HHS, to enable them to prepare to respond effectively to inquiries. The Privacy Officer is responsible for reporting breaches to HHS, while the Office of Public Affairs handles media notifications.

Here are the key reporting deadlines:

As a covered entity, you're required to follow specific administrative requirements when dealing with patient data privacy under the HIPAA Breach Notification Rule. This includes implementing a program to train your workforce on HIPAA Privacy Rule requirements.

You must also have a process for patients to submit complaints about how their PHI is handled. This includes designating a contact person or office to receive complaints and having a clear procedure for investigating and responding to them.

To mitigate any potential harm caused by unauthorized disclosures of PHI, you must have a plan in place. This could involve notifying affected patients, taking steps to prevent future breaches, and reporting the incident to the HHS.

You're required to provide patients with different ways to request confidential communications about their PHI. This could include allowing them to request information by physical mail or through a secure online portal.

Covered entities must document their HIPAA Privacy Rule compliance efforts. This includes maintaining records of workforce training, complaints received, and any actions taken in response to violations or breaches.

Here's a summary of the administrative requirements outlined in section 164.530:

The burden of proof falls on the covered entity or business associate if a patient's information is used or disclosed in a way that violates HIPAA rules. The responsible party must show that it properly notified everyone as required by HIPAA, or that the incident did not qualify as a data breach under the definition in 164.402.

If you're a covered entity, you need to report breaches of unsecured PHI to HHS within 60 days after the end of the calendar year in which the breach was discovered.

The deadline for reporting breaches affecting fewer than 500 individuals is a crucial one, and it's essential to keep track of it to avoid any potential issues.

You'll need to submit your report to HHS in a timely manner to comply with the regulations.

To make sure you're meeting this requirement, mark your calendar for the end of the year and plan to submit your report shortly after.

The HHS "Wall of Shame" is a public list of breaches affecting 500 or more individuals, and it's a good idea to check it out to see the types of breaches that are being reported.

Remember, timely reporting is key to compliance, so don't put off submitting your report until the last minute.

To stay compliant, Covered Entities must notify individuals of a breach within sixty days of receipt of notification by the CE of the breach from the BA.

Secureframe can help you stay HIPAA compliant by training employees on HIPAA requirements and best practices.

A BA must notify Covered Entities within sixty days of discovery of a breach of unsecured PHI.

Secureframe keeps track of vendors and associates that have access to PHI, ensuring your breach risk is at a minimum.

The CE is ultimately responsible for notifying individuals of the breach, unless the BA is an “agent” of the CE in which case the discovery of the breach by the BA is the start of the sixty (60) day notification period by the CE.

If a covered entity experiences a breach of unsecured ePHI affecting more than 500 residents in a state, it must notify well-known media outlets in that state. This notification must happen promptly and no later than 60 days after discovering the breach.

The notification should include details about the breach, such as a concise description of the incident, the dates of the breach and discovery (if known), and the types of unsecured PHI involved. The notification must also be written in clear and understandable language.

Covered entities must notify the media in a timely manner, just like they do with affected individuals. In fact, the notification to the media must happen within the same timeframe of 60 days.

To notify the media, covered entities can use various methods, including phone calls, emails, or in-person visits. However, the specific method used may depend on the circumstances of the breach and the preferences of the media outlets.

Here are some key points to keep in mind when notifying the media about a breach:

By following these guidelines, covered entities can ensure that they are complying with the HIPAA Breach Notification Rule and keeping the public informed about potential security risks.