Your Responsibilities Under the HIPAA Breach Notification Rule

March 11, 2022 - The HIPAA Breach Notification Rule requires HIPAA-covered entities and business associates to follow specific reporting requirements following the discovery of a protected health information (PHI) breach.

If organizations fail to comply with HIPAA’s standards, they run the risk of endangering patient privacy, paying hefty noncompliance fees, and suffering reputational harm and lawsuits.

Healthcare organizations and business associates should review breach reporting requirements and have business continuity and incident response plans in place to avoid repercussions.

What Constitutes a PHI Breach?

Healthcare data breaches and cyberattacks are almost inevitable in the current cyber threat landscape. SecureLink found that one healthcare record is worth up to $250 on the black market, compared to $5.40 for payment card information, the next highest-value record type.

Given the likelihood that a healthcare organization or business associate with valuable protected health information (PHI) will face an attempted or successful cyberattack, it is essential to understand how HHS defines a data breach and what to do if your organization falls victim to one.

According to HHS, a breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”

Organizations must conduct a risk assessment of the following factors to determine whether a security incident would be considered a breach:

• The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the protected health information or to whom the disclosure was made;
• Whether the protected health information was actually acquired or viewed; and
• The extent to which the risk to the protected health information has been mitigated.

The HIPAA Breach Notification Rule assumes that an impermissible use or disclosure of PHI is a breach unless an organization can show that there is a low probability that information was compromised based on the above factors.

The definition of a breach is fairly straightforward, but not all accidental information disclosures are considered data breaches. There are three exceptions to the rule that excuse healthcare organizations and business associates from reporting a breach to HHS.

If a workforce member acting under the authority of a covered entity or business associate accesses or acquires PHI unintentionally (but in good faith), the incident would not be considered a breach.

The second exception involves a person who has authorized access to PHI at a covered entity but inadvertently discloses that PHI to another person in that organization with authorized access to PHI. The second exception applies only if that information was not further used or disclosed in ways that violate the HIPAA Privacy Rule once the parties discovered their wrongdoing.

The third exception applies if the covered entity or business associate has good reason to believe that the unauthorized person who accessed the PHI would not be able to retain any information.

“Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information,” HHS’ website stated.

“Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”

Unless the information disclosure occurred under a particular set of conditions, covered entities and business associates should assume that they must follow HIPAA’s breach reporting requirements.

Breach Notification Requirements for Healthcare Organizations

Covered entities are required to notify impacted individuals of a PHI breach within 60 days of discovering the breach. The covered entity must send the individual notice via first-class mail or by email if the individual had previously agreed to receive communications that way.

“If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside,” HHS noted.

The organization also must maintain a toll-free phone number for 90 days for impacted individuals to learn about the breach.

Along with the delivery methods, HIPAA also has specific requirements for what information organizations should include in the breach notification. The notice must include a description of the breach, the types of information involved in the breach, and what steps individuals can take to prevent further harm.

In addition, the notice must include a description of what the covered entity is doing to investigate the breach and prevent future breaches.

If the breach impacted more than 500 individuals, HIPAA requires the covered entity to notify prominent media outlets via a press release within 60 days of discovering the breach. Also within 60 days, covered entities must notify HHS by filling out a breach report form. The Office for Civil Rights (OCR) posts breaches impacting more than 500 people on its data breach portal.

Although the HIPAA Breach Notification Rule naturally emphasizes breaches impacting more than 500 people, it is important to note that breaches impacting less than 500 people still need to be reported to HHS. Covered entities should report these smaller breaches to HHS on an annual basis, no later than 60 days after the end of the calendar year in which the entity discovered the breach.

Breach Notification Requirements for Business Associates

Business associate data breaches are becoming more common as threat actors shift their tactics and targets. Critical Insight found that while cyberattacks against healthcare providers dipped slightly in 2021, attacks targeted at health plans and business associates increased.

In January 2022, clinical data technology company and business associate Ciox Health began notifying individuals of a healthcare data breach that impacted more than 30 healthcare organizations. Targeting business associates can be an easy way for threat actors to access data from multiple organizations with just one cyberattack.

With this in mind, business associates must understand their role in providing breach notifications to covered entities and impacted individuals.

“With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate,” HHS’ website states.  

“Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.”

Covered entities and business associates should work together to ensure that the right people are notified of a breach at the right time.

Business associates, which are entities subject to HIPAA requirements via a business associate agreement (BAA), are required to disclose breaches to covered entities within 60 days of discovering the breach. The business associate has an obligation to provide the covered entity with all the necessary information for a thorough breach notification letter.

How Data Breach Reporting Requirements May Change

In March 2022, the Senate passed the Strengthening American Cybersecurity Act. If signed into law, the act would require critical infrastructure entities to report cyber incidents within 72 hours of discovery and 24 hours if the entity makes a ransomware payment.

“The term ‘significant cyber incident’ means a cyber incident, or a group of related cyber incidents, that the Secretary determines is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States,” the bill stated.

It is currently unclear what incidents and healthcare entities might be subject to this rule. The determinations will likely depend on the size and scope of the security incident and whether it poses a significant threat to public health on a large scale.

On top of HIPAA requirements, covered entities and business associates will have to keep track of emerging regulations to protect PHI and know when and how to notify government agencies and impacted individuals of a data breach.

It is also important to note that different states have different breach reporting requirements. For example, Gastroenterology Consultants in Houston, Texas, began notifying over 161,000 patients of a January 2021 ransomware attack on August 6, 2021. The notification came as a surprise to many patients who were unaware of the breach for months.

Although Gastroenterology Consultants complied with HIPAA by reporting the breach to federal authorities in March, it failed to comply with Texas breach reporting requirements. Texas law requires businesses to notify the Attorney General’s Office of a data breach within 60 days if it impacted more than 250 individuals. Gastroenterology Consultants failed to notify Texas officials of the cyberattack until August 9.

Complying with the HIPAA Breach Notification Rule is essential for covered entities and business associates. But as regulations expand and individual states develop their own reporting requirements, strictly following HIPAA will no longer be enough.