Navigating HIPAA’s Breach Notification Rule Following A Breach

Adam J. Appleberry, Esq., (412) 594-5532, aappleberry@tuckerlaw.com

In light of the ongoing investigation of Change Healthcare’s ransomware attack that resulted in the improper disclosure of thousands of individuals’ PHI, now seems like a perfect time to discuss HIPAA’s requirements surrounding the notification process following a breach. Whether it’s a small breach where someone in your organization accidentally sent a patient’s contact information to the wrong individual, or a large breach where your system has been hacked and all your patient records have potentially been exposed, the Department of Health and Human Services lays out clear guidance for your next steps.

What is a breach?

Before diving into the required process following a breach, it may be helpful to discuss what is considered a breach in the first place.

Under the Breach Notification Rule, a breach has taken place when there is an unpermitted use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Whether or not a breach has occurred can be determined by a risk assessment that evaluates:

• the nature and extent of PHI involved;
• the unauthorized individual who used or gained access to the PHI;
• whether an unauthorized individual actually acquired or viewed the PHI; and
• the extent to which the covered entity or business associate reduced the PHI exposure risk.

Unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised, any impermissible use or disclosure of PHI is presumed to have been a breach.

The rule does provide for three exceptions to this definition:

• If an employee or authorized individual unintentionally, but in good faith and within their scope of authority, accesses or uses the PHI;
• If the PHI is disclosed to an individual who is not authorized to access that particular individual’s PHI but is authorized to access PHI in general; or
• If the covered entity has a good faith belief that the unauthorized person to whom the PHI was disclosed would have not been able to access or retain the information.

Notification Requirements

When a covered entity determines that a breach has occurred, the covered entity must provide notification to (1) the individual, (2) the Department of Health and Human Services, and (3) in some situations, the media.

Individual Notification

The individual must be notified without unreasonable delay but no later than 60 days following the discovery of the breach.

In the notification, the individual must be provided:

• a brief description of the breach;
• a description of the types of information that were involved in the breach;
• the steps the individual should take to protect themselves from potential harm;
• a description of what the covered entity is doing to investigate the breach; and
• contact information for the covered entity.

This notification must be provided in the form of first-class mail but can be sent via email if the individual has agreed to receive such notices electronically. In the event that the covered entity is unable to contact 10 or more individuals affected by the breach, the covered entity must substitute the individual notice by either posting the notice on its website for a minimum of 90 days or by providing the notice in the media where the affected individuals likely reside. In these instances, the covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can call to learn if their information was involved in the breach.

When a business associate is responsible for the breach, the covered entity remains the party responsible for providing notification to the individuals affected. In these situations, the business associate must notify the covered entity within 60 days.

Department of Health and Human Services Notification

The process for notifying the Secretary of the Department of Health and Human Services can be completed online on the HHS website (click here).

In breaches that affect 500 or more individuals, the Secretary must be notified without unreasonable delay but no later than 60 days following the discovery of the breach.

In breaches that affect less than 500 individuals, the notification requirement only needs to occur annually but no later than 60 days after the end of the calendar year in which the breach is discovered.

The Department of Health and Human Services maintains a list on its website of recent HIPAA breach cases under investigation (click here).

Media Notification

In situations where 500 individuals or more are affected by a breach, the covered entity must provide notice to the prominent media outlets covering the region where the affected individuals likely reside. This notice can be provided in the form of a press release, must include the same information as required for notifying the individuals, and must be provided without unreasonable delay but no later than 60 days following the discovery of the breach.

Conclusion

Navigating HIPAA compliance can be a confusing and burdensome task – we are here to help. If you’ve had a breach and are questioning what your next steps should be, or if you have a general question about how to better align your practice’s processes with HIPAA’s compliance requirements, please reach out at aappleberry@tuckerlaw.com or (412) 594-5532.