HIPAA Breach Notification rule explained

HHS published the rule in 2009 in response to rising data breach attacks. When attacks occurred, there was no systematic reporting system. Regulators did not know how many records were compromised. And identifying non-compliant healthcare organizations was not easy.

Under the Breach Notification Rule, a “breach” occurs when healthcare organizations expose Protected Health Information (PHI). Notifications include deliberate or accidental exposure to one or more unauthorized persons.

Covered entities must assume that PHI exposure is always a breach. This principle applies unless the covered entity proves otherwise. And there are some exceptions. If the risk of disclosure to unauthorized actors is low, this generally does not count as a breach. Two authorized individuals may share Protected Health Information accidentally. Again, this would not technically be a breach.

In all cases organizations must have procedures to document and risk assess breaches. And they must prove that notification is unnecessary.

Why is following the Breach Notification Rule so important?

The Breach Notification Rule guides covered entities during security incidents. Without this guidance, the covered entity may not know how to proceed. Following HIPAA regulations enables covered entities to inform affected individuals. Organizations can take appropriate action to deal with the causes of breaches.

Following the Breach Notification Rule also reduces the risk of compliance penalties. Organizations that expose Protected Health Information may be liable for HIPAA penalties. But fines are higher if the covered entity fails to follow reporting requirements.

Reporting incidents to individuals also limits the reputational damage associated with data breaches. A covered entity will lose customer trust if it fails to inform patients about ePHI exposure. So, following the requirements of the Breach Notification rule is important.

Breach notifications are also important for individuals. Reporting requirements encourage healthcare providers to take care when handling Protected Health Information. Organizations are legally required to publish notices about privacy failures. This is something healthcare bodies would rather avoid. So, they are more likely to put in place comprehensive security controls.

The disclosure of Protected Health Information can also be harmful to individuals. Data breaches lead to identity theft and fraud. They can affect careers, and they damage the relationship between providers and patients. Notification rules allow patients to take action to protect their data. Strict timescales limit the damage from breaches, making life easier for those affected.

HIPAA Breach Notification Rule requirements

When a breach of PHI occurs, HIPAA requires Covered Entities and Business Associates to follow specific notification procedures. Here are the key steps:

1. Determine notification timelines

Understanding the required timing is crucial. Generally, notifications must be made without unreasonable delay, and in no case later than 60 calendar days after the discovery of a breach.

This 60-day clock starts when an employee or agent of the covered entity (or Business Associate) first knows, or reasonably should have known, about the breach. Specific deadlines apply depending on who is being notified and the scale of the breach.

2. Inform affected individuals

Covered Entities must inform individuals if their Protected Health Information has been compromised. Breach notification to affected individuals must be provided via first-class mail (or email, if the individual has consented to electronic notice) within 60 days of discovering the breach. Each individual notice must include:

• A description of the breach or exposure
• Information about what Protected Health Information was compromised
• How the individual can protect themselves against further disclosure or harm
• Information about actions taken by the Covered Entity following the breach
• Contact information for the Covered Entity

If a covered entity lacks contact information for 10 or more affected individuals, a substitute notice is required. This involves:

• Posting the breach details prominently on their website for at least 90 days
• Placing a substitute notice in major print or broadcast media in the geographic areas where affected individuals likely reside
• Providing a toll-free phone number, active for at least 90 days, for individuals to make inquiries

3. Notify the media (if applicable)

When a data breach affects more than 500 individuals residing in a single state or jurisdiction, the covered entity must notify prominent media outlets serving that state or jurisdiction. This media notice must be provided within 60 days of discovering the breach.

The notice can be in the form of a press release and should contain the same information required for individual notices (description of breach, types of PHI involved, steps for self-protection, entity's response, contact info).

4. Report to the Secretary of HHS

Covered Entities must report all breaches of unsecured PHI to the Secretary of the Department for Health and Human Services (HHS). This is done via an online form on the HHS website. The timing depends on the number of individuals affected:

• Breaches affecting 500 or more individuals: Must be reported to HHS within 60 days of discovery.
• Breaches affecting fewer than 500 individuals: Must be reported to HHS annually, no later than 60 days after the end of the calendar year in which the breach was discovered.

5. Document your actions and decisions

Covered entities must internally document all breach notifications sent to individuals, the media (if applicable), and HHS. This documentation serves as proof of compliance.

Crucially, documentation must also record any security incidents or accidental disclosures that were assessed but not reported as breaches because a risk assessment determined a low probability of compromise. This risk assessment documentation explains the rationale and serves as evidence should questions arise later.

Important considerations for breach notification compliance

Beyond the core notification steps, several factors are crucial for maintaining compliance:

Policies and procedures

Organizations must develop and implement clear policies and procedures for breach notification. These should detail how breaches are identified, assessed, and reported.

Training procedures are essential to ensure all workforce members understand their roles and responsibilities regarding breach notification policies. Penalties should apply to employees who fail to follow these guidelines. Confidential whistleblowing channels should also be available for staff to report potential breaches or security concerns without fear of reprisal.

Encrypted data exception

Security incidents involving encrypted PHI are generally not considered notifiable breaches under HIPAA, provided specific conditions are met. This exception applies if the PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals through encryption that meets NIST standards:

• Data at rest: Encrypted according to NIST Special Publication 800-111, Guide to Storage Encryption Technologies.
• Data in transit: Encrypted according to NIST Special Publications 800-52, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations.

Crucially, the encryption keys must be stored separately and securely, inaccessible along with the encrypted data. If these conditions are met, a breach notification is typically not required, although the incident should still be documented internally.

Data storage devices and media disposal exception

Improper disposal of devices or media containing PHI can lead to a breach. However, if the PHI on the disposed media is rendered unusable, unreadable, or indecipherable, it does not qualify as a notifiable breach. This requires:

• Paper records: Must be shredded or destroyed so that PHI cannot be read or reconstructed.
• Electronic media: Must undergo clearing, purging, or destruction consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization.

Proper disposal methods effectively eliminate the risk of PHI exposure from discarded media.

What are the notification requirements for Business Associates?

The HIPAA Breach Notification rule applies to covered entities and Business Associates. Covered entities have an overall responsibility to protect health information. However, a Business Associate must still follow notification guidelines if they expose PHI.

A Business Associate detecting PHI exposure must inform covered entities within 60 days. Notifications should include information about every individual affected by the data breach. Business Associates should supply the information requested by the covered entity when notifying individuals.

Sometimes, a covered entity delegates notification responsibilities to a Business Associate. Delegation applies when Business Associates are best placed to identify and inform affected individuals. However, covered entities must ensure the Business Associate carries out their duties.

Understanding Breach Notification penalties

Violating the Breach Notification Rule carries severe penalties. Sanctions for non-compliant organizations are just as serious as violations of the Security Rule and the Privacy Rule. The Office for Civil Rights (OCR) determines and levies Breach Notification penalties. Penalty amounts are not pre-determined. The eventual fine depends on:

• The seriousness of the incident
• How much Protected Health Information did the breach expose?
• Whether the covered entity took action in response
• Did the covered entity take steps to use a Business Associate?
• Whether the covered entity met its breach notification requirements promptly
• Whether exposure of health information was deliberate

Fines for notification errors are often part of judgments. Penalties may also cover HIPAA Privacy Rule or Security Rule violations. But fines only involving the Breach Notification Rule can be significant. In 2017 HHS fined Presense Health $475,000 for notification violations alone. This means that every covered entity must focus on notification.

Consider every security incident with a thorough risk assessment. Use policies to define incident reporting thresholds. And make sure every Business Associate knows their reporting responsibilities.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.