Understanding the HIPAA Breach Notification Rule


What Entities Need to Understand About the HIPAA Breach Notification Rule

With Electronic Health Records (EHR) becoming a healthcare industry standard, information security becomes highly critical to protect health records from unauthorized use and disclosure. If a breach of unsecured protected health information should occur, it’s important to inform the affected individuals and regulators about the breach. The HIPAA Breach Notification Rule provides guidelines and requirements for providing notice. While most entities understand the notification requirements, organizations that have not experienced a data breach may lack a good working knowledge of HIPAA Breach Notification Rule compliance.

HIPAA Breach Notification Rule

Unsecured protected health information (PHI) is information in any form, whether paper, verbal, or electronic, that has not been rendered unreadable, unusable or illegible to unauthorized persons. A breach is considered to have occurred if there was an impermissible disclosure of PHI to an unauthorized person(s). Unauthorized disclosure will not be considered a breach of unsecured PHI has been properly “de-identified,” and thus is exempted from notification mandates. Covered entities or business associates must stay in compliance with the HIPAA Breach Notification Rule by conducting a risk analysis to determine if the unsecured PHI has been compromised. This involves taking into account the nature and extent of the PHI, the individual(s) who gained unauthorized access to PHI, whether the information was acquired or viewed, and the extent to which the covered entity has mitigated the risk.

If a HIPAA covered entity discovers a breach of unsecured PHI, it must provide notification to individuals affected by the breach, the Secretary of Health and Human Services (HHS), and in some instances, the media, as stipulated under 45 CFR § 164.400-414. If a breach occurs at or by a business associate, they must equally notify covered entities.

As provided by the HIPAA Breach Notification Rule, notification of a breach of unsecured PHI must be provided to all affected individuals in writing form by first-class mail or e-mail. If there’s out-of-date or insufficient information for 10 or more individuals, substitute individual notice must be provided by either posting the notice on the website for at least 90 days or by using broadcast media or major print where the affected people likely live. If the breach has affected fewer than 10 individuals, an alternative form of notice, such as telephone, may be used. The notification should have a brief description of the breach, the type of information involved, steps taken by the covered entity in investigating the breach, and the steps that should be taken by affected individuals to protect themselves from potential harm.

Notifications Depending on the Number of Affected Individuals

The HIPAA Breach Notification Rule requirements vary based on the number of individuals affected, usually 500 or more individuals or fewer than 500 individuals. If there’s uncertainty about the number of affected individuals at the time of submission, an estimate should be provided, and if additional information is discovered, the covered entity should submit the updates as they come in.

If 500 or more individuals are affected by a breach of unsecured protected health information, a covered entity must send a notification to the Secretary no later than 60 days from the discovery of the breach, and without unreasonable delay. Conversely, if fewer than 500 individuals are affected by the breach, the entity must submit the notice to the Secretary on an annual basis.

Administrative Requirements for the HIPAA Breach Notification Rule

Covered entities and their business associates bear the burden of proving that all notifications have been provided, or that a breach did not occur following the unauthorized access. Thus, the entity should maintain documentation to demonstrate that all required notifications were made, or documentation to show that a breach never occurred and thus, notification was not required. In the case where the covered entity believes there was no breach, it should provide its risk assessment showing that there’s a low risk that the PHI was compromised.

Contact SCA to Learn More About HIPAA Breach Notification Rule

Security Compliance Associates (SCA) has many years of experience in delivering risk assessment and information security compliance services to healthcare organizations. If your business has experienced a breach, we can assess your people, processes and technology to help mitigate risks and reduce the likelihood of a breach while helping you stay in compliance with HIPAA Security, Privacy, and Breach Notification rules.

Contact SCA today at (727) 571-1141 to schedule a no-cost consultation.