HIPAA Breach Notifications – The Ultimate Guide
What is a HIPAA Breach?
A HIPAA Breach is defined as “the unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) which compromises the security or privacy of such information.”
In order for a HIPAA Breach to have occurred, there must have been an “unauthorized” acquisition, access, use, or disclosure of PHI. This means that if someone who is not authorized to view PHI views it, this would be considered a HIPAA Breach.
Examples include, but are not limited to:
- Losing a laptop or other electronic device that contains PHI
- PHI being viewed by someone who is not authorized to do so
- PHI being stolen or taken without authorization
- Emails containing PHI being sent to the wrong person
- PHI being posted on a website or social media platform
If you have experienced a HIPAA Breach, it is important to take action immediately in order to mitigate any potential damage. The first step is to contact the U.S. Department of Health and Human Services Office for Civil Rights (OCR). OCR will then work with you to determine the next steps to take.
It is also important to contact your local law enforcement in order to file a report. This will help to ensure that the individual who committed the breach is held accountable for their actions.
If you have any questions or concerns about HIPAA Breach notifications, please contact the OCR at 1-800-368-1019 or visit their website at hhs.gov/ocr. As we continue in this post, we will try to answer most if not all of your questions.
What Are The HIPAA Breach Notification Requirements?
The HIPAA Breach Notification Rule requires covered entities to provide notification following a breach of unsecured protected health information. A breach is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of such information.”
There are three main components to the HIPAA breach notification letter:
- Notice to the individual: Individuals must be notified of a breach “without unreasonable delay” and no later than 60 days following the breach’s discovery.
- Notice to the Secretary: HHS must also be notified of a breach “without unreasonable delay” and no later than 60 days following the breach’s discovery.
- Notice to the media: If a breach affects 500 or more individuals, the covered entity must notify “prominent media outlets” of the breach.
The HIPAA breach notification letter requirements contain the following information:
- The name and contact information of the individual who is responsible for the notification
- A description of the breach, including the date of the breach and the date on which it was discovered
- The number of individuals affected by the breach
- A description of the type of information that was involved in the breach
- Steps that individuals can take to protect themselves from potential harm
- A description of what the covered entity is doing to investigate the breach and prevent future breaches
It’s important to understand that these requirements are just the minimum that must be met. Covered entities are encouraged to provide more information if it is determined that it would be helpful to the individuals affected by the breach. And failure to comply with the notification requirements can result in significant penalties.
When Are Notifications Necessary?
When it comes to sharing PHI, covered entities must tread carefully to avoid HIPAA breaches. Unsecured and unencrypted PHI must never be shared with or lost to unauthorized parties, as this could lead to a whole host of problems. If such a breach does occur, covered entities must take immediate action.
They must notify their in-house HIPAA security authorities, as well as the OCR. They must also notify all patients they believe may be affected by the breach. In some cases, they may even need to notify the media. Obviously, it’s best to avoid such a mess entirely. But if a HIPAA breach does occur, prompt notification is essential for mitigating the damage.
The OCR wants HIPAA breach notifications to go out “without reasonable delay” which is somewhat vague in wording. However, they do state that covered entities have up to 60 days to notify patients of a breach, provided they have a good reason for the delay.
For example, if the covered entity needs to gather more information about the breach before sending out notifications, they may have up to 60 days. But if they don’t have a good reason for the delay, they may be subject to penalties. ideally, HIPAA breach notifications should be going out right away.
Also, the timeframe of sending out notifications is dependent on who is being notified and the size of the breach itself. For example, if the covered entity needs to notify more than 500 people of a breach, they must do so within 60 days. But if the breach affects less than 500 people, covered entities are allowed to wait until the end of the calendar year to send their report to the Health and Human Services department (HHS).
HIPAA Breach Notification for Patients
If you’ve been affected by a HIPAA breach, don’t worry – you’re not alone. As we’ve discussed, covered entities are required to notify all affected patients after discovering the breach. HIPAA breach notification letters to patients must include:
- A statement that a breach of unsecured PHI occurred
- Details about what information was compromised
- An explanation of how the incident happened
- Information about what the covered entity is doing in response
- Details about what the covered entity will do to prevent future incidents
- Contact information patients can use if they have questions or concerns
Notifications will be sent out in writing via first-class mail unless patients have opted to receive them only electronically. So if you have any questions or concerns, be sure to reach out to the appropriate contact listed in your notification.
In addition, covered entities have to display clear information on their website about the recent HIPAA breach for a minimum of three months. This, in addition to the letters, gives all patients the ability to easily find out about the incident and what steps are being taken to mitigate the damage.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule is a set of regulations that dictate when and how covered entities and their business associates must report any breaches of unsecured electronic protected health information.
A breach is defined as any impermissible use or disclosure of such information, and is presumed to be a breach unless the covered entity or business associate can prove otherwise through a risk assessment. The HHS´ guidance on the matter provides further clarity on what constitutes a breach, as well as what steps need to be taken in the event that one occurs.
Ultimately, the goal of the HIPAA Breach Notification Rule is to ensure that individuals affected by a breach are notified in a timely and appropriate manner, so that they can take steps to protect their health information from further potential harm.
Risk assessments for HIPAA breach notifications can be a tricky business. After all, covered entities have to weigh the risk of disclosing protected health information against the risk of notifying people about a potential breach. On one hand, they don’t want to cause a panic by disclosing too much information. On the other hand, they don’t want to downplay the seriousness of a potential breach. So how do entities strike the right balance?
The key is to consider the specific situation and the protected health information involved, the unauthorized individual involved, and whether the information was actually received or seen at all. Additionally, they should consider the extent to which the risk has been mitigated. By taking all of these factors into account, entities can make an informed decision about whether or not to notify people about a potential HIPAA breach.
What Happens if You Breach HIPAA Rules?
If you are a covered entity or business associate and you fail to comply with the HIPAA Breach Notification Rule, you could be subject to civil and/or criminal penalties. These penalties can include:
- Fines of a minimum of $50,000
- Criminal charges
- Imprisonment (very likely)
The severity of punishment is dependent on the nature and extent of the violation, as well as whether or not it was committed knowingly. Obviously, willfully violating HIPAA rules is going to result in much harsher penalties than an accidental breach. But accidental breaches can’t be ignored either and can result in significant punishment.
Therefore, it’s important for covered entities and business associates to take the HIPAA Breach Notification Rule seriously and make sure they are in compliance.
In addition, covered entities and business associates can be subject to civil penalties and fines every year for each violation. The best way to avoid these penalties is for entities to make sure that they have adequate security measures in place to protect electronically protected health information, and that they have a robust breach notification process in place in the event that a breach does occur.
The HIPAA Breach Notification Rule is an important set of regulations that covered entities and business associates need to be aware of. By understanding the Rule and taking steps to comply with it, entities can avoid costly penalties and fines. Additionally, they can help to ensure that individuals affected by a breach are notified in a timely and appropriate manner.
There are a few things covered entities and business associates can do to help prevent HIPAA breaches, including:
- Educating employees on HIPAA and security best practices
- Implementing strong physical, technical, and administrative security measures
- Regularly monitoring and auditing systems for vulnerabilities
- Having a robust incident response plan in place
- Testing the incident response plan on a regular basis
- Following up with the individual to ensure that they have received the notification.
Some common mistakes made in breach notification letters include:
- Not including all of the required information
- Including incorrect or outdated information
- Failing to proofread the letter
- Notifying the individual by an unauthorized method
- Mailing the notification to the wrong address