- Recent headlines are bringing certain HIPAA rules and regulations to the forefront of healthcare, legal, and public discussion. In the wake of the Anthem data breach that potentially exposed the personally identifiable information of up to 78 million individuals, the data breach notification rule is becoming more prevalent.
Questions are arising over how Anthem business associates are affected. Are those organizations obligated in the same way when it comes to notifying customers? What about notifying the authorities? Perhaps some healthcare entities see the Anthem situation and wonder what they would be obligated to do in a similar situation. We’ll discuss the larger aspects of the HIPAA breach notification rule, and explain exactly how covered entities are required to notify individuals and the necessary authorities.
What is the HIPAA breach notification rule?
The HIPAA breach notification rule requires that covered entities and their business associates notify necessary parties after unsecured protected health information (PHI) is compromised. For example, let’s say that a healthcare organization leaves an unencrypted laptop in a room that is not properly secured. The device is stolen and suddenly several hundred patients’ PHI is potentially in criminals’ hands. The healthcare organization in question is required under HIPAA to notify the patients, the Department of Health & Human Services (HHS) and potentially the media.
If a covered entity or business associate can show that there is a small chance that the PHI was compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed;
- The extent to which the risk to the protected health information has been mitigated.
Covered entities and business associates may also be able to give the necessary breach notifications without performing a risk assessment to determine the probability that the PHI was compromised, according to HHS.
It is also important to note that the HIPAA breach notification rule only applies to unsecured PHI. This is PHI “that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”
Essentially, if a covered entity or business associate does not make the effort to protect sensitive information, such as using passwords or multi-factor authentication, it may be deemed as being unsecured PHI. This calls back to the need for healthcare organizations to implement and adhere to administrative, technical, and physical safeguards. All of these will help facilities better protect PHI.
What are the notification requirements?
The HIPAA breach notification requirements will vary depending on how many individuals are possibly affected by the exposure of unprotected PHI. If more than 500 people are potentially at risk, then the organization must notify prominent media outlets serving the State or jurisdiction. As far as timeline, this notice must be given “without unreasonable delay” and in no case later than 60 days following the discovery of a breach. The same information that was on individual notifications must be included in the media notice.
The Secretary must also be notified in the same time frame for breaches affecting over 500 people. In instances where fewer than 500 people are affected, covered entities need to make an annual report. However, these notices are due to the Secretary “no later than 60 days after the end of the calendar year in which the breaches are discovered.”
Regardless of the size of the data breach, individual notification must also take place without unreasonable delay or no later than 60 days following the breach discovery. If there is outdated contact information for 10 or more individuals, then the covered entity must post the notice on its web site’s home page for at least 90 days or give the notice to major print or broadcast media where the affected individuals likely live.
The following information must be included in the individual notifications:
- A brief description of the breach
- A description of the types of information that were involved in the breach
- The steps affected individuals should take to protect themselves from potential harm
- A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
- Contact information for the covered entity (or business associate, as applicable).
With the HIPAA Omnibus Rule, business associates are also now responsible for protecting patients’ PHI. Should a data breach occur at a business associate’s facility, that organization needs to notify its covered entity without reasonable delay and no later than 60 days following the breach’s discovery.
Proper documentation is required
HIPAA administrative requirements are quite important in the breach notification process. For example, HHS demands that covered entities need to show that all required notifications are provided following a data breach or prove that a use or disclosure of unsecured PHI did not constitute a breach. This would require covered entities to document that all required notifications were made, or document that notification was not necessary.
This could be done in one of two ways. First, a covered entity shows that its risk assessment found a low probability that the PHI was compromised by the impermissible use or disclosure. The second way could be through “the application of any other exceptions to the definition of ‘breach.’”
Moreover, healthcare organizations need to have written policies and procedures in place that cover the breach notification process. Employees need to then be trained on those policies and procedures. It is also essential for covered entities to develop and apply sanctions where necessary should employees not comply with the documented policies and procedures.
Essentially, it is important for covered entities to create a contingency plan in case a data breach happens. No healthcare organization wants to fall victim to a data breach, but it is unrealistic to assume that nothing will ever happen. That is why it is important to develop, implement and document the appropriate administrative safeguards. That way, when a healthcare data breach does occur, a covered entity will hopefully avoid federal fines in terms of its data breach notification process.