Reporting is critically important in healthcare. Data breaches compromise the privacy of millions of patients. Regulators need to know why data leaks happen and how organizations respond. And the HIPAA Breach Notification Rule makes this possible.
HIPAA-covered entities and Business Associates must follow the Breach Notification Rule. This article will explain what the rule involves. We will learn why reporting breaches matters. And we will explore how to follow the rules when security incidents occur.
What is the HIPAA Breach Notification rule?
The HIPAA Breach Notification Rule requires a covered entity or Business Associate to report data breaches. Covered entities must report data exposure to individuals and regulatory authorities. They must advertise data breaches in media outlets when incidents affect many individuals.
HHS published the rule in 2009 in response to rising data breach attacks. When attacks occurred, there was no systematic reporting system. Regulators did not know how many records were compromised. And identifying non-compliant healthcare organizations was not easy.
Under the Breach Notification Rule, a “breach” occurs when healthcare organizations expose Protected Health Information (PHI). Notifications include deliberate or accidental exposure to one or more unauthorized persons.
Covered entities must assume that PHI exposure is always a breach. This principle applies unless the covered entity proves otherwise. And there are some exceptions. If the risk of disclosure to unauthorized actors is low, this generally does not count as a breach. Two authorized individuals may share Protected Health Information accidentally. Again, this would not technically be a breach.
In all cases organizations must have procedures to document and risk assess breaches. And they must prove that notification is unnecessary.
Why is following the Breach Notification Rule so important?
The Breach Notification Rule guides covered entities during security incidents. Without this guidance, the covered entity may not know how to proceed. Following HIPAA regulations enables covered entities to inform affected individuals. Organizations can take appropriate action to deal with the causes of breaches.
Following the Breach Notification Rule also reduces the risk of compliance penalties. Organizations that expose Protected Health Information may be liable for HIPAA penalties. But fines are higher if the covered entity fails to follow reporting requirements.
Reporting incidents to individuals also limits the reputational damage associated with data breaches. A covered entity will lose customer trust if it fails to inform patients about ePHI exposure. So, following the requirements of the Breach Notification rule is important.
Breach notifications are also important for individuals. Reporting requirements encourage healthcare providers to take care when handling Protected Health Information. Organizations are legally required to publish notices about privacy failures. This is something healthcare bodies would rather avoid. So, they are more likely to put in place comprehensive security controls.
The disclosure of Protected Health Information can also be harmful to individuals. Data breaches lead to identity theft and fraud. They can affect careers, and they damage the relationship between providers and patients. Notification rules allow patients to take action to protect their data. Strict timescales limit the damage from breaches, making life easier for those affected.
Breach Notification Requirements
HHS lists three core Breach Notification requirements. HIPAA covered entities must report to individuals, media organizations, and regulators. Notification requirements are different for each stakeholder.
Individual Notice
Covered Entities must inform individuals if they expose Protected Health Information. The covered entity must send written individual notices when breaches or exposure occur. Organizations must send an individual notice via first-class mail. Or they can request consent to send an individual notice via email.
Healthcare organizations must provide notice for individuals within 60 days. This period starts when employees identify the breach. Each individual notice must include:
- A description of the breach or exposure
- Information about what Protected Health Information was compromised
- How the individual can protect themselves against further disclosure or harm
- Information about actions taken following the breach
- Contact information for the Covered Entity
Sometimes covered entities lack contact information for affected individuals. Breaches affecting more than 10 individuals without contact details need a substitute notice. The covered entity must:
- Post the breach details on their website for at least 90 days
- Place a substitute notice in local media to reach affected customers
- Provide a toll-free number to make inquiries about the breach
Media Notice
When data breaches affect more than 500 individuals in a single state, the covered entity must place a media notice. Covered entities can place the notice in a print newspaper. Or they can send a press release to prominent media outlets in the local area.
Covered entities must place media notices in every affected jurisdiction. Notification can be complex when breaches extend across many states. But media reporting carries a strict timescale. Organizations or delegated Business Associates have 60 days to provide notice in the media.
Notices must include the same information as individual notices. Relevant information includes the type of personal health records that were compromised. Covered entities should explain how individuals can protect themselves from harm. And they should publish a toll-free support number.
Notice to the Secretary
Notices to the Secretary inform regulators about data breaches. When data breaches occur, covered entities must report the incident to the Department for Health and Human Services (HHS). Organizations can notify HHS via an online form at the department's website.
Notification requirements vary slightly depending on the size of the breach. If breaches affect more than 500 individuals, organizations must notify Health and Human Services within 60 days. When breaches affect under 500 individuals, the organization has until 60 days after the end of that calendar year.
Burden of Proof documentation
Alongside notifications for external parties, covered entities must internally document breach notifications. This shows that the organization is meeting its regulatory requirements. Documentation should record accidental disclosures that the organization did not report as breaches. Records then serve as evidence if the incidents concerned lead to legal proceedings.
Covered entities electing not to report a breach must carry out a risk assessment. This assessment explains why the covered entity did not report the incident. It should show a low probability of harm for affected individuals. There must be no risk of exposing health information to unauthorized persons.
Policies and procedures
Breach notification policies should ensure timely and accurate reporting. Training procedures inform all employees about breach notification policies. Penalties apply to employees who do not follow breach notification guidelines.
The covered entity should also provide whistleblowing channels. Employees should be able to report security concerns. For instance, if a colleague exposes Protected Health Information to an unauthorized person. These channels should be confidential and available to all staff members.
Encrypted data
Security incidents may expose encrypted health information during transmission or storage. These incidents are not notifiable breaches if:
- Health organizations store encryption keys for Protected Health Information on separate devices. This device must have no direct connection to the affected data.
- The covered entity encrypts at rest data according to NIST Special Publication 800-111.
If the covered entity meets these conditions, encrypted health information is rendered unusable. There is no need to carry out a full breach notification.
Data storage devices and media
Improper disposal of devices or storage media can expose Protected Health Information. However, device or media disposal does not qualify as a breach if data is rendered unusable. Organizations must shred paper records to make the re-identification of individuals impossible. Digital storage devices must undergo media sanitization according to NIST Special Publication 800-88.
What are the notification requirements for Business Associates?
The HIPAA Breach Notification rule applies to covered entities and Business Associates. Covered entities have an overall responsibility to protect health information. However, a Business Associate must still follow notification guidelines if they expose PHI.
A Business Associate detecting PHI exposure must inform covered entities within 60 days. Notifications should include information about every individual affected by the data breach. Business Associates should supply the information requested by the covered entity when notifying individuals.
Sometimes, a covered entity delegates notification responsibilities to a Business Associate. Delegation applies when Business Associates are best placed to identify and inform affected individuals. However, covered entities must ensure the Business Associate carries out their duties.
Understanding Breach Notification penalties
Violating the Breach Notification Rule carries severe penalties. Sanctions for non-compliant organizations are just as serious as violations of the Security Rule and the Privacy Rule. The Office for Civil Rights (OCR) determines and levies Breach Notification penalties. Penalty amounts are not pre-determined. The eventual fine depends on:
- The seriousness of the incident
- How much Protected Health Information did the breach expose?
- Whether the covered entity took action in response
- Did the covered entity take steps to use a Business Associate?
- Whether the covered entity met its breach notification requirements promptly
- Whether exposure of health information was deliberate
Fines for notification errors are often part of judgments. Penalties may also cover HIPAA Privacy Rule or Security Rule violations. But fines only involving the Breach Notification Rule can be significant. In 2017 HHS fined Presense Health $475,000 for notification violations alone. This means that every covered entity must focus on notification.
Consider every security incident with a thorough risk assessment. Use policies to define incident reporting thresholds. And make sure every Business Associate knows their reporting responsibilities.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.