HIPAA Breach Notification Rules under the HITECH and GINA Act were issued on January 25, 2013, resulting in modifications to HIPAA Privacy, Security, and Enforcement. This is commonly known as the Omnibus Rule. The Omnibus Rule mandates covered entities (CEs) and business associates (BAs) provide the required HIPAA breach notifications following an impermissible use or disclosure of protected health information (PHI).
What is a HIPAA Breach?
A HIPAA breach notification may be required because of an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) of an individual. An impermissible use or disclosure is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the protected health information has been compromised.
A risk assessment must include consideration of at least the following factors:
- The extent and nature of the PHI involved (i.e. types of identifiers and likelihood of re-identification);
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- If the PHI was viewed and/or acquired;
- To what extent the risk to the PHI has been mitigated.
How Does a HIPAA Breach Notification Work?
(1) HIPAA Breach Notification Rule: Following a breach of unsecured PHI, CEs must notify affected individual(s) and the Secretary of Health and Human Services (HHS).” In instances where the breach affects more than 500 residents of a State or jurisdiction, notice must be provided to prominent local media. In addition, BAs must notify CEs that a breach has occurred.
Individual HIPAA breach notifications must occur without delay, but not later than 60 days from the date of the breach discovery. A breach is considered to be “discovered” when at least one employee of the entity knows of the breach. This does not include the person responsible for the breach.
(2) Covered Entities HIPAA Breach Notification: Covered entities are required to notify affected individuals following the discovery of a breach of unsecured PHI. The CE must provide the individual notice in written form by first-class mail. Notices by email are permissible if the affected individual has agreed to receive notices electronically.
What about Business Associates?
(1) Business Associates HIPAA Breach Notification: If a breach of unsecured PHI occurs by a business associate, the BA must notify the CE following the discovery of the breach. A business associate must provide notice to the covered entity no later than 60 days from the day of discovery of the breach. BAs are required to provide the identification of each individual affected by the breach. The covered entity is responsible for ensuring the individuals are notified of a breach by a business associate even if the covered entity is charged with the responsibility of providing individual notices to the business associate.
(2) Out-of-date Information: If the CE or BA has insufficient or out-of-date information for more than 10 individuals, the CE must provide a substitute individual notice by one of two methods. It may post the notice on the home page of its website for at least 90 days. Or it may provide the notice in major print or broadcast media where the affected individuals reside. This notice must include a toll-free number that remains active for at least 90 days. If the CE or BA has insufficient or out-of-date information for less than 10 individuals, the covered entity may provide a substitute notice by an alternative form of written, telephone, or other means of notification.
HHS Wall of Shame
As required by section 13402(e)(4) of the HITECH Act, the Secretary posts a list of HIPAA breaches of unsecured protected health information affecting 500 or more individuals. These HIPAA breaches can range from a laptop theft to a hacking/IT incident.In 2015 there were over 113 million breaches of individual records reported, and the number of incidents related to “hacking” and “IT incidents” have doubled since 2014. And this only includes breaches involving 500 or more individuals!
Most recently, St. Joseph Health (SJH) has agreed to settle potential violations of HIPAA Privacy and Security Rules following the report that files containing ePHI were publicly accessible through internet search engines from 2011 until 2012. The public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information. SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. This plan requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff accordingly.
The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information. Entities must not only conduct a comprehensive HIPAA risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI.
In my next blog, I plan to discuss what’s included in a HIPAA breach notification letter, requirements for HIPAA breaches affecting 500 or more individuals, and when CE’s are required to send a notice of breaches to the HHS Secretary.