What are the HIPAA breach notification requirements?

In 1996, the Health Insurance Portability and Accountability Act of 1996 was introduced. In the two decades since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry. Despite its importance, there still exist many healthcare providers and insurers who are unaware of HIPAA obligations. It has been noted that that is considerable ignorance of how to comply to the HIPAA Breach Notification Rule.

Healthcare providers and insurance companies have been criticised in recent months regarding the way they handle data breaches of patient healthcare. Affected patients have complained about the speed they have been notified that their healthcare data and personal information has been stolen, lost or divulged to an unauthorized individual. This inefficient handling of breaches is in violation of the HIPAA Breach Notification Rule.

Summary of the HIPAA Breach Notification Rule

HIPAA Rules set standards which healthcare providers and other covered entities (CEs) must follow to reduce the chance of patient data being exposed to unauthorized individuals. Even with sophisticated data security measures implemented, it is still possible for unauthorized individuals to access computer systems. No system is impervious to attack. If the affected organisation has had data relating to patient healthcare stolen, then HIPAA Rules must be followed to ensure that the patients are informed of this breach in an efficient and appropriate manner.

The steps that must be taken depend on the nature of the data compromised and the number of people affected:

Breaches Affecting More than 500 Individuals

If a data breach occurs which exposes the PHI of more than 500 individuals, the Department of Health and Human Services’ Office for Civil Rights must be notified “without unreasonable delay”, and certainly within 60 days of the discovery of the breach. The report should be made via the OCR Breach reporting web portal. Breach Notification letters must also be sent to all affected individuals; more details on how this should be done later.

Issuing Notification of the Breach to the Media

A prominent media source serving the state in which the victims are located must be alerted to a data breach affecting more than 500 individuals. This notice must be issued within 60 days of discovery of the breach.

Posting of Breach Details on the Company Website

HIPAA does not make it compulsory for information relating to the breach on the company website in all circumstances. However, if more than 10 individuals cannot be contacted due to incomplete contact information or if there is out of date contact information, a notice must be posted prominently on the company website for a period of 90 days. If the company does not wish to post this information on their website, then they must publish the information via major print and broadcast media. A Toll-free telephone number must also be provided to allow breach victims to contact the organisation with their queries.

Breaches Affecting Fewer than 500 Individuals

Data breaches involving fewer than 500 individuals require notifications to be sent to all affected individuals “without unreasonable delay”, and within 60 days of the discovery of the breach. The media does not need to be informed of these small-scale data breaches.

The Department of Health and Human Services’ Office for Civil Rights must be notified of all sub-500-record data breaches within 60 days of the start of the new calendar year. For example, breaches occurring on January 1 would not need to be reported to the OCR until March 2ndof the following year.

Business Associates and Data Breaches

Any Business Associate that discovers that they have been breached, or one of their employees is responsible for a breach, then they must notify the covered entity of the incident no later than 60 days after the discovery of the breach. Efforts should be made to identify the individuals affected as well as the data that was compromised in the incident.

Issuing of Breach Notification Letters

When a breach does occur, all covered entities, including their Business Associates, are required to notify all affected individuals that their PHI has been exposed. This must happen whether the PHI was exposed due to hacking, or unintentional circumstances such as a lost device belonging to an employee which held PHI. The HIPAA Breach Notification Rule also applies to paper records, x-ray films and all other physical records containing PHI. The loss, theft or disclosure of these records also requires the affected individuals to be notified.

Breach notification letters must be sent via first class post, unless a prior agreement exists in which individuals have agreed to receive communications via email. The notification letters – or emails – must include details of the breach, the information that was potentially exposed, a description of the actions taken by the company in response to the breach, information on the efforts made to mitigate damage or loss and the actions which can be taken by individuals to mitigate risk.

Breach Notification letters must be sent if the healthcare provider, Health Plan, Business Associate or other covered entity can show that there is a risk that PHI has been viewed, or could potentially be viewed, by an unauthorized individual. Breach notification letters can be issued without a risk assessment having first taken place, although the decision not to send notification letters should only be made after a thorough risk assessment has been performed.

The letter must include the following information:

  • The type of data exposed and the likelihood of a patient or plan member being identified from the data
  • The person who has accessed the data and to whom they have disclosed information
  • The probability of PHI being accessed, viewed and/or shared
  • The extent to which any potential damage has been mitigated

If a portable device or desktop computer has been lost or stolen, it is only considered a HIPAA breach if the PHI contained on the device, or accessible through it, is unencrypted. If the data is encrypted, then no notification needs to be sent, unless the security key was also lost or stolen.  It should be noted that password protection is not the same as data encryption. In the case of loss or theft of devices containing password protected PHI, breach notifications will still need to be issued.

Documentation of Actions Taken

All CEs must maintain a record of the actions taken following a breach, as these may be required by OCR auditors. The HIPAA Breach Notification Rule requires details of the breach notification letters that have been sent to be recorded, along with evidence that they have indeed been sent. If breach notification letters are deemed not to be necessary, the reason for this decision, along with evidence to support it, must be documented by the healthcare organisation.

Penalties for HIPAA Breach Notification Rule Violations

The failure to issue breach notification letters within 60 days of the discovery of a breach is a violation of the HIPAA Breach Notification Rule and can attract a penalty from both OCR and state attorneys general. The maximum penalty for non-compliance is $1.5 million, per violation category, per calendar year.

The HIPAA Breach Notification Rule explicitly states that notifications must be issued within 60 days of the discovery of a breach, “without unreasonable delay”. Therefore, the unnecessary delaying of sending breach notifications is also a violation of the HIPAA Breach Notification Rule. This could attract a financial penalty.

In 2017, OCR took the decision to pursue a case against Presense Health for delaying the issuing of breach notification letters. Presense Health discovered the breach on October 22, 2013, yet OCR was notified on January 31, 2014 – more than a month after the 60-day HIPAA Breach Notification Rule deadline had passed. Presense Health settled the case for $475,000.