What Are HIPAA Breach Notification Requirements?Greg Garner
When it was first implemented in 1996, one of HIPAA’s core goals was to improve Americans’ awareness of and control over their protected health information (PHI). Over time, the OCR has added to and amended portions of the law to better achieve that goal.
One of the key changes occurred in 2009 when the Breach Notification Rule went into effect – reference What is HIPAA Training?
But what qualifies as a HIPAA breach? Who gets notification of a HIPAA breach and when? Who is responsible for doing the notifying?
Keep reading for a complete breakdown of HIPAA breach notification requirements and how they apply to you.
What Is a HIPAA Breach?
The HIPAA Privacy Rule defines a breach as a situation in which unauthorized parties gain access to unsecured PHI. Breaches can be accidental or intentional.
Examples of accidental breaches include:
- A medical practitioner sending or handing a patient the wrong file, allowing them to see another patient’s personal information
- A third-party overhearing a private PHI-containing conversation
- When computers holding unsecured PHI are improperly disposed of
- A medical practitioner leaving a file open and unattended where it can be inadvertently viewed by passersby
- A billing error providing patient PHI to unauthorized parties
Examples of intentional breaches include:
- A medical practitioner or business associate accessing celebrity PHI out of curiosity
- A medical practitioner accessing PHI to use against another person for profit or other personal gain
- Information thieves stealing PHI via ransomware or other electronic attacks
- Thieves stealing unsecured physical hardware containing PHI
Not every mistake or incident of mishandling is a breach, however. To qualify as a breach, two key criteria must be met.
First, the shared information must qualify as protected health information. This includes:
- Full or partial copies of a medical record, including provider notes
- Conversations related to patient care held between patients and providers
- Conversations related to patient care held between providers about a patient
- Information about patients’ insurance plans
- Patients’ billing information
Other information held by the following types of providers may also qualify:
- Doctors, hospitals, and other direct providers
- Health care insurance providers
- Health care clearinghouses
- Third-party business associates such as billing services
Second, information must be:
- Accessible by unauthorized parties
For example, losing an unencrypted laptop counts as a breach. Third-parties can find and access the information on that device, compromising PHI in ways that are harmful to patients.
What Is Not a Reportable Breach?
Not every incident in which PHI is accessed by or accessible to unauthorized parties counts as a breach. This is because in some cases, the data remains under the control of the covered entity and is not exposed in harmful ways.
A good example is a scenario in which an encrypted laptop containing PHI is stolen but the encryption keys are not. In that case, the thieves cannot read or use the data. No PHI is compromised, so the incident is not considered a breach.
Similarly, imagine that one medical practitioner gave the wrong patient file to another practitioner. The second practitioner reads the file before realizing the error. So long as the second practitioner keeps the information confidential, as per the rules of their employment, no harm is done and no breach occurs.
Likewise, perhaps a provider hands one patient another patient’s file. The provider recognizes the error and reclaims the file before the patient can open or read it. Since the patient was not exposed to any PHI in a compromising way, that would not count as a breach.
Understanding these differences can help providers and their staffs avoid unnecessary concern and over-reporting. Proper training is essential to clarify these differences and the best responses to them when situations arise.
What Are HIPAA Breach Notification Requirements?
HIPAA breach notification requirements are the rules that dictate what happens when a breach occurs. These rules specify:
- When notifications are necessary
- Who must be notified
- Who is responsible for notifying the appropriate parties
- How long they have to send out notifications
- What notifications must contain
- What forms of notification are allowable
Understanding each of these points is essential. Failure to comply with these requirements can result in severe penalties.
When Notifications Are Necessary
Notification of a HIPAA breach must happen when unsecured and unencrypted PHI is shared with or lost to unauthorized parties. When this happens, covered entities must:
- Notify their in-house HIPAA security authorities
- Notify the OCR
- Notify all patients they believe may be effected
- Potentially notify the media
Official OCR language dictates that notifications should go out “without reasonable delay.” What that looks like in practice depends on several factors.
Who Is Being Notified
Covered entities must send patient notices right away, regardless of any other factors. Media notices must also go out at once, where applicable.
Covered entities have more leeway when it comes to contacting the OCR.
Entities must also notify their states. Each state sets its own rules about the timing of such notification. Many states have shorter notification limits than the HHS, so it is essential that entities be aware of local laws.
The Size of the Breach
The size of the breach also plays a role.
If a breach affects fewer than 500 people, covered entities can wait until the end of the calendar year to report the incident to Health and Human Services (HHS). At that time, they can use the online reporting tool to report the breach.
If a breach affects more than 500 people, or if the breach is intentional or severe in some way:
- Covered entities must notify Health and Human Services (HHS) within 60 days
- Failure to comply with this timeline will incur extra penalties
- Covered entities must also notify local media outlets of the breach so the information can be published
Be Cautious of Delays
Regardless of the applicable time limit, entities should be careful not to delay notifications any more than physically necessary. As the statute is explicit about avoiding delays, the OCR may punish delays that entities cannot prove were necessary or appropriate.
In all cases, covered entities must notify affected patients within 60 days of discovering the breach. Notifications must:
- State that a breach of unsecured PHI occurred
- Specify what information was compromised
- Detail how the incident happened
- Explain what the covered entity is doing in response
- Explain what the covered entity will do to prevent future incidents
- Provide contact information patients can use if they have questions or concerns
- Go out in writing via first-class mail unless patients opted to receive notifications only through electronic means
Regardless of how many patients the breach affected, covered entities must notify a media outlet if they lack current contact information for 10 or more affected parties. They must provide the outlet with the same information included in patient notices.
In addition to publishing the information in the media, covered entities must conspicuously display it on their websites for no less than 90 days. This ensures that all affected patients have the opportunity to realize their PHI was compromised and respond.
When Breaches Happen via Business Associates
Sometimes, it is not covered entities themselves who compromise PHI. Instead, a business associate may be at fault.
When this happens, the business associate must report the breach and all its details to the covered entity. The covered entity must then follow all the standard reporting requirements.
Importantly, the applicable reporting time limits do not change when a business associate is the source of a breach. If the business associate delays in reporting the breach to the covered entity, the covered entity may not have enough time to meet the reporting deadlines. Fines and other penalties will then apply.
For this reason, it is critical that covered entities spell out quick turnarounds in information sharing when business associates experience a breach. It is the only way to avoid penalties for unnecessary delays or missing reporting cutoffs.
Moreover, covered entities working with business associates operating in different states should be aware of both states’ reporting deadlines as they may be different.
In addition to establishing rules around reporting breaches, HIPAA breach notification requirements also dictate how covered entities document breaches. Entities must document all known breaches, including those that do not need reporting to the HHS. For each incident, the following information must be logged:
- Name and address of the person or persons who accessed the PHI
- A description of the PHI involved
- An explanation of what happened
Any follow up or investigation into the situation should also be recorded. Covered entities must keep these documents for six years from the time of the incident. They must share the information with the individuals affected upon request.
What Happens if You Breach HIPAA Rules?
The OCR has a great deal of leeway in penalizing HIPAA breaches. It can impose fines of up to $1.5 million each year on any covered entity that suffers a breach. It can also publicly shame entities by publishing press releases and listing the breach on its website with the relevant details.
In most cases, however, the OCR bases the severity of its penalties on:
- How serious a breach was (e.g. the effect on patients)
- How avoidable the breach was (e.g. did the covered entity make a good faith effort to protect information?)
- How the covered entity responded
Covered entities that can demonstrate good faith efforts to protect information tend to face lower penalties than those who cannot. Likewise, covered entities that respond to breaches promptly and appropriately tend to face fewer penalties than those that fail to notify patients and the OCR in a timely and appropriate manner.
Importantly, when the OCR applies penalties, it often does so by the day. This means that each additional day beyond the limit that a covered entity failed to report an incident it can be fined. With fines potentially ranging into the thousands or hundreds of thousands of dollars per day, how an entity responds to a breach can be the deciding factor in how steep the penalties it faces are.
Moreover, this is true of each infraction associated with an incident. So the stronger an entity’s all-around response, the better a position it is in.
Individual states also have the right to fine or otherwise penalize covered entities when breaches occur. The rules regarding when and how state authorities can impose penalties after a breach vary and every entity should familiarize itself with the rules in the states it operates in.
In rare cases, State Attorney Generals may also bring civil or criminal charges against the individuals responsible for a breach.
It is critical that entities familiarize themselves with state regulations. They should also monitor them as they can and do change.
The Importance of Proper Training
With so many specific requirements and such limited timeframes, reporting can be complicated. This is why it is essential that covered entities provide the best possible training for staff. Both front-line and administrative staff need to understand the ins and outs of reporting requirements thoroughly.
Business associates, too, need training at the front-line and administrative levels. This will do more than just ensure that the right actions happen at the right time. It will also serve to demonstrate and document good faith efforts at compliance.
That, in turn, can reduce the penalties the OCR imposes in response to a breach.
Learn more about HIPAA breach notification requirements and the importance of proper training by browsing our blog. Or contact us and let our HIPAA training specialists help you choose the right training for your organization today.