Breach Notification- What Do Practices Need to Know?

Breach Notification- What Do Practices Need to Know?

Published: December 4th, 2018

According to the HIPAA Breach Notification Rule, all covered entities and their business associates are required to report any breach of protected health information. It is essential to understand and implement all breach notification requirements or risk incurring financial penalties as high as $1,500,000 from state attorneys general and the HHS’ Office for Civil Rights.

What is a Breach? A data breach is defined as the impermissible use or disclosure of protected health information. Breaches include unauthorized access by employees and third parties, improper disclosures, the exposure of protected health information, and ransomware attacks.

What are the HIPAA Breach Notification Requirements?

Below is a summary of the HIPAA breach notification requirements for covered entities and their business associates in the event of a breach:

Contact Individuals Impacted

  • Any person who has had their protected health information accessed, used, or disclosed impermissibly must be notified of the breach.
  • Any individual who may potentially have been affected by the breach must also be informed of the breach.
  • Breach notification letters must be sent within 60 days of the discovery of a breach.
  • Written notice of the breach must be submitted by first-class mail, or by e-mail if the affected individual has agreed to receive such notices electronically.
  • The notification must include a brief description of the breach, including the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a description of what the covered entity is doing to investigate the breach, mitigate the damage, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).
  • Breach victims should also be provided with a toll-free number, postal address, and email address to contact the breached entity for further information.

Contact the Department of Health and Human Services

  • Covered entities must notify the Secretary of the Department of Health and Human Services, of any breaches of unsecured protected health information.
  • Covered entities will notify the Secretary by visiting the HHS website and filling out and electronically submitting a breach report form.
  • If the breach affects more than 500 people, the notification to the HHS must be sent before 60 days from the discovery of the breach.
  • If the breach affects fewer than 500 individuals, the covered entity may notify the HHS no later than 60 days after the end of the calendar year in which the breach was discovered.

Inform the Media

  • Covered entities that experience a breach of over 500 individuals are required to provide notice to the prominent media outlets serving the jurisdiction. 
  • The notification can be in the form of a press release to appropriate media outlets serving the affected area and must be provided no later than 60 days following the discovery of the breach.

Post a Breach Notice

  • Covered entities are required to upload a substitute breach notice to their website and link to the notice from the home page if they do not hold the correct contact information for 10 or more individuals affected by the breach. (The link to the breach notice should be displayed prominently and should remain on the website for a period of 90 consecutive days.)
  • If the covered entity has insufficient contact information for fewer than ten individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means. 

Business Associates

  • Business associates must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. 
  • Business associates should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.
  • Business associates must also comply with all of the HIPAA breach notification requirements and can be fined directly by the HHS’ Office for Civil Rights and state attorneys general for a HIPAA Breach Notification Rule violation.

State Breach Notification

  • U.S. states have their own breach notification laws.
  • Typically, a notice must be submitted to the state attorney general’s office. Some states require breach notifications to be issued well within the HIPAA deadlines.
  • It is essential to stay up to date on your local state breach notification laws.

The three exceptions include:

  • The first exception applies to the unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate if the activity was done in good faith and within the scope of authority.
  • The second exception applies to inadvertent disclosure of PHI by a person with authorized access.
  • The third exception applies if the covered entity or business associate has a legitimate belief that the unauthorized person who whom the impermissible disclosure was made would not have been able to retain the information.

For further information or assistance on breach notification requirements, contact the experts at MedSafe for a free consultation. MedSafe is the nation's leading one-stop resource for outsourced safety and health compliance solutions in healthcare.

Toll-free: (888) MED-SAFE