- Following an unsecured protected health information (PHI) breach, HIPAA covered entities must provide breach notifications to patients, the Secretary, and the media if 500+ patients are affected. The Office for Civil Rights (OCR) also stipulates that business associates (BAs) must notify covered entities that a breach has occurred.
Anyone from a healthcare practice manager to legal expert will tell you the amount of work involved with reporting a breach, so here are some reminders of what language OCR used to describe breach notification requirements.
Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by email if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity. Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
Notice to the Secretary
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.
A BA must notify the covered entity following the discovery of the breach if they’re responsible for the breach and provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. And the BA has to offer individual identifications affected by the breach as well as any information required to be provided by the covered entity in its patient notification.
When new HIPAA omnibus regulations are taken into account, is there enough time for these organizations to investigate the breaches and send out notifications in a timely manner? What is the ideal amount of time to report breaches? Let us know in the comment section down below.