In my previous blog HIPAA Breach Notification Rule, I discussed the definition of a HIPAA Breach, and some of the requirements for HIPAA Breach Notifications. Today we will look at specifics of notification letters, “going public”, media notices, and exceptions to the reporting requirements.
HIPAA Breach Disclosure Letter
In the event of a HIPAA breach, the disclosure letter to the person(s) affected must include the following information:
- Brief description of what happened and when it happened, to include the date of the breach and the date it was discovered;
- Description of the types of unsecured PHI involved in the breach (e.g., date of birth, diagnosis, address, social security number);
- Steps individuals should take to protect themselves from potential harm as a result of the breach;
- Brief description of what the involved covered entity is doing to investigate the breach, mitigate losses, and protect against any further breaches;
- Contact procedures for individuals to ask questions or learn additional information.
HIPAA Breach Media Notices
If the HIPAA breach affects more than 500 residents of a State or jurisdiction, in addition to notifying the affected individuals, a press release must be provided by the covered entity (CE) to appropriate media outlets serving the affected area. Media notices must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. The media notice must include the same information required for the individual notices.
HIPAA Breach Disclosure to the HHS Secretary
The HIPAA Breach Notification Final Rule requires covered entities to provide the Secretary of HHS with notice of breaches of unsecured protected health information (45 CFR 164.408). The number of individuals affected by the breach determines when the notification must be submitted to the Secretary. Covered entities must notify the Secretary by visiting the HHS website filling out and electronically submitting a breach report form.
HIPAA Breach affecting 500 or more Individuals
If a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach. This notice must be submitted electronically.
HIPAA Breach affecting fewer than 500 Individuals
For breaches that affect fewer than 500 individuals, a CE must provide the Secretary with a report annually. All disclosure notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred. The notice must be submitted electronically. A separate form must be completed for every breach that has occurred during the calendar year.
When a covered entity has submitted a breach notification form to the Secretary and discovers that there is additional information to report, the CE can submit an additional form, checking the appropriate box for an updated submission.
The Burden of Proof
CEs and BAs have the burden of proof to demonstrate that all required HIPAA Breach disclosures have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. The covered entity must also comply with several other provisions of the Privacy Rule with respect to breach notification. For instance, CEs must have written policies and procedures, and must develop and apply sanctions against workforce members who do not comply with these policies and procedures.
There are HIPAA Breach Exceptions
There are three exceptions to the definition of “breach:”
- Unintentional acquisition, access, or use of protected health information by a workforce member or a person acting under the authority of a CE or BA, if such acquisition, access, or use was made in good faith and within the scope of the person’s authority.
- Inadvertent disclosure of protected health information by a person authorized to access PHI at a CE or BA to another person authorized to access PHI at the CE or BA, or at an organized health care arrangement in which the covered entity participates. In both cases the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
- If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
CEs must be prepared to defend their decision to claim an exception to the breach definition, so keep the documentation that supports your decision!
Avoiding breaches require constant vigilance. Employees lose laptops, visit websites that contain malware, and sometimes just forget the rules. Whenever the Office of Civil Rights comes to investigate a HIPAA breach at your organization, it will look for 4 things: (1) Your Policies and Procedures, (2) Your recent HIPPA Risk Assessment, (3) Your evidence of training of employees, and (4) Your HIPAA Breach Disclosure documentation.
Plan to have all four available!