Businesses operating in the healthcare field must protect their patients’ sensitive personal data. Companies must maintain the security and privacy of the information by the guidelines defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Failure to conform to the HIPAA standards can result in compromised sensitive data, accompanied by substantial financial penalties levied against the offending organization. This article will discuss the HIPAA requirements related to compliance with HIPAA breach notification rules if that sensitive data is compromised. We will show you who needs to send a HIPAA breach notification, when one needs to be composed, and what information must be incorporated into the document.
What is PHI?
Before delving into the specifics of HIPAA breach notification rules, let’s talk about how HIPAA defines some basic terms. Understanding these terms is a necessary precursor to discussing data breach notifications. Protected health information (PHI) and electronically stored protected health information (ePHI) are used for sensitive patient data that must be kept secure to conform with HIPAA requirements. But what exactly constitutes PHI?
PHI is any health information that can be tied to an individual. HIPAA defines 18 different identifiers used to associate an individual with healthcare information. The items that comprise PHI include:
- Names including first name, last name, and initials;
- Dates directly related to an individual;
- Phone numbers;
- Email addresses;
- Social security and medical record numbers;
- Device identifiers and serial numbers;
- Biometric identifiers.
The only difference between PHI and ePHI is how the data is stored and transferred. Information stored using physical techniques such as paper records is considered PHI. When computer systems and electronic communication are involved in storage and transmission, the sensitive data is called ePHI. We will use the terms interchangeably throughout this article. Read TBHI’s previous articles HIPAA ePHI and HHS Stresses HIPAA ePHI Security: Information Access Management & Access Control for more related information. The other two terms that are vital to a discussion of HIPAA data breaches relate to the organizations responsible for protecting PHI and ePHI and that will be involved in creating notifications if data is compromised. HIPAA defines two distinct types of organizations with responsibilities for protecting PHI. They are:
Covered Entities can be individuals or organizations that fall into one of three categories:
- Health plans including health insurance companies, HMOs, employee-sponsored health plans, and government programs such as Medicare that pay for health care;
- Clearinghouses that process nonstandard health information for other organizations;
- Providers include doctors, behavioral health clinicians, clinics, nursing homes, and pharmacies. See Am I a HIPAA Covered Entity? for more information.
Business Associates are individuals or organizations that perform activities that involve the use or disclosure of PHI on behalf of a converted entity. In some cases, a covered entity can be a business associate of another covered entity. Examples of business associates include:
- Third-party administrators who help a health plan process claims;
- Attorneys may have access to PHI when performing legal services for a covered entity.
- Consultants performing utilization reviews for a healthcare facility;
- Independent medical transcriptionists who provide services to a doctor.
See TBHI’s articles HIPAA Business Associates and Business Associate: How to Vet Behavioral Health Business Associates To Comply With HIPAA. Now that we have defined these terms let’s look at how and when HIPAA breach notifications must be sent.
What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule requires HIPAA-covered entities and business associates to provide notification after a breach of unsecured protected health information. This notification would imply that the ePHI had not been adequately protected to make it unreadable and unusable by unauthorized entities. The accepted methods of protecting ePHI involve encrypting the data and destroying it effectively. A data breach is defined as unauthorized use or disclosure that compromises the privacy and security of ePHI. Breach exceptions can be made when disclosure was inadvertent and does not lead to the ePHI being further compromised.
While all instances of compromised ePHI need to be avoided when possible, there are cases where the affected organization may not need to adhere to the notification requirements. If the covered entity or business associate can perform a risk assessment that demonstrates a low probability that the ePHI has been compromised, they can avoid sending notifications. The risk assessment must consider these factors:
- The ePHI involved in the breach, including the specific identifiers involved and the probability they can lead to the identification of individual patients;
- The identity of the unauthorized actor who had access to the ePHI;
- If the ePHI was acquired and viewed by unauthorized entities;
- The extent to which any risks to the ePHI have already been mitigated.
Organizations can opt to immediately proceed with a breach notification without performing a risk assessment when faced with ePHI that has potentially been compromised. In situations where it is obvious the results of a risk assessment will still require notification, it’s best to get on with it as soon as possible.
How to Compose a HIPAA Breach Notification
When a HIPAA-covered entity or business associate experiences a data breach, there are specific steps they are required to perform to notify all affected individuals and organizations. The following notices must be made applicable in the wake of a breach of ePHI.
1. HIPAA Breach Notification Notice for a Covered Entity
Business associates must inform the covered entities with which they work that a breach has occurred within 60 days of its discovery. This notification allows the covered entity to make notifications they feel are necessary. In many cases, the length of time a business associate has to notify a covered entity is shortened to allow a more timely response to a data breach.
2. HIPAA Breach Notification Notice for Individuals
Covered entities must notify individuals without unreasonable delay, which cannot be more than 60 days after discovering a breach. Notices must be sent by first-class mail and contain specific information regarding the breach. The notice must include:
- The date of the breach itself and when it was discovered;
- Details on the type of unsecured ePHI affected by the breach;
- Descriptions of the covered entity’s plans to investigate and mitigate the breach to ensure it doesn’t happen again;
- Actions the individual should take to protect against potential harm caused by the breach of their ePHI;
- Procedures the individual can take to obtain more information from the covered entity.
3. HIPAA Breach Notification Notice for HHS
US Department of Health and Human Services needs to be notified of in-scope data breaches. The time requirements for this notification are based on the number of individuals affected by the breach. If the breach impacts less than 500 individuals, notification to HHS can be made by a covered entity within 60 days of the end of the calendar year. If more than 500 individuals are involved, HHS must be notified when the covered entity notifies the individuals.
4. HIPAA Breach Notification Notice for the Media
Breaches that involve more than 500 individuals in a state need to be reported to local media within 60 days of discovery. Covered entities must retain documentation on breach notification and analysis for six years. Unauthorized disclosures also need to be recorded in a log that tracks disclosures, whether they are reportable or not. Covered entities and business associates must take note of state breach reporting requirements that they must make in addition to HIPAA-mandated notifications.
Data breaches involving ePHI are never pleasant for the organizations being breached or the individuals whose sensitive information has been compromised. Covered entities and business associates need to make the appropriate notifications as soon as possible to minimize the harm caused by the breach of sensitive data. It’s a necessary first step in rebuilding trust in their ability to protect their customer’s valuable ePHI. See TBHI’s more articles related to HIPAA data breaches below.
- Upcoming HIPAA Breach Notification Rule Deadline
- Data Breach: Average Cost of Data Breach Increases
- HIPAA Breach: How to Encrypt Your Computer to Avoid HIPAA Breach Notification Requirements
- The HIPAA Breach Notification Rule Deadline Approaching
Atlantic.Net Contributed this Article
Need a HIPAA-compliant hosting solution? Atlantic.Net can help!
HIPAA Compliant Cybersecurity: Practical Implementation Tips
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.