HIPAA Breach Reporting

HIPAA Breach Reporting


What is HIPAA Breach Reporting?

Despite the best efforts of healthcare employees and the use of advanced data security systems, it sometimes occurs that protected health information (PHI) of patients becomes visible to people, companies, or other organizations outside the designated group of approved users of that information. This event is referred to as a breach, and it triggers a requirement for HIPAA breach reporting on the part of the organization affected.

In addition to reporting the breach to Health and Human Services officials, the organization is responsible to directly contact every individual to inform them of the breach. This is most often done through a direct mailing.

When to Report a HIPAA Breach

The Department of Health and Human Services dictates strict time frames for the reporting of a HIPAA security breach, the notification of federal government officials, and the provision of assistance for individuals whose information may have been exposed in the breach.

Once an organization becomes aware of an incident that has exposed patients’ information, they must send notifications to those patients within 60 days. Without a plan in place ahead of time, executing HIPAA breach reporting affordably, securely, and within the required time window can be difficult. A trusted direct mail partner like Spectra, which itself is SOC 2 Type 1 HIPAA compliant, is an essential resource in these instances.

Exceptions to the Definition of a Breach

A HIPAA privacy breach nearly always necessitates an effort by the organization to conduct a mail campaign to notify all affected individuals. The only exceptions are cases in which PHI is accidentally exposed to others within the same organization, who are also authorized to access the information under consideration. In these cases the PHI is not considered to have been revealed to potential “bad actors” not approved to view the information.

HIPAA breach reporting requirements can also be affected if the PHI is exposed in an encrypted format–that is, if the information cannot be accessed without a key provided by the holders of the PHI.

Breach Risk Assessment

One of the most important stages in responding to a HIPAA security breach is assessing the extent of the damage to individuals’ privacy. The organization must determine, to the best of their ability, exactly what pieces of information were exposed, who may have obtained access to the information, how the information may have been or could be used in the future, and whether measures have been taken to minimize the dangers caused by the breach.

Once the particulars of the HIPAA privacy breach are established as specifically as possible, the organization is able to create, print, and mail notifications to all required individuals.

HIPAA Breach Notification Rule

HIPAA guidelines include the Breach Notification Rule, a set of requirements that make it clear what the responsibilities are for an organization–most often a healthcare facility such as a private medical practice, a clinical trial recruitment agency, or a hospital system–that has been struck by a HIPAA security breach.

The Breach Notification Rule explains how an organization is to respond to such a breach, what to consider before notifying HHS and individuals, what to include in the notifications, time frames, and other important details. In some cases, the guidelines even require the organization to inform the media of the breach in order to ensure that affected individuals have the opportunity to learn of it and respond appropriately.

What is Considered a HIPAA Privacy Breach?

Healthcare organizations that communicate with members and patients about their protected health information on a regular basis are always required to follow HIPAA protocols when doing so. Any use of PHI outside of those guidelines is likely to create a privacy breach, as it places information in a realm where it is not guarded by data security protocols and can be viewed by unapproved actors.

Those actors may be innocent recipients not intending to cause any harm, such as an individual receiving an email that was intended for someone else. However, they could also be hackers looking to benefit from the unlawful use of PHI.

HIPAA Breach Report Assistance

Spectra is an expert in HIPAA breach reporting, with HIPAA certified data security practices in place throughout the direct mail process. We can help your healthcare organization print and mail notifications to all individuals on your list within the required time frame, using highly secure methods including pressure seal mailers.

Spectra’s Charleston Fulfillment Center

Get in touch with us today to find out more about how Spectra’s Fulfillment Services Center and Warehouse in Charleston can help.