HIPAA Breach Notification Simplified

Breach notification is spelled out specifically in the HIPAA rule. If a Covered Entity (CE), a Business Associate (BA), or one of their service providers or third-party providers has a situation where there is unauthorized release of a patient’s information, or if a patient’s PHI is accessed without authorization, it is a breach.  This could be for someone providing healthcare to the patient or someone outside of the healthcare provision, but anytime someone accesses PHI without cause, that is a breach. If an employee of a healthcare organization looks at a patient’s record for any reason other than to provide direct care to the patient, that is a breach.

Breach notification is straightforward in the HIPAA CFR. Access to PHI must only be for reasons that are for provision of healthcare to the patient. HIPAA requires that any access of PHI that is inappropriate be reported. Breaches of less than 500 records are required to be reported annually, at the organization’s reporting date, to the Office for Civil Rights (OCR) and Health and Human Services (HHS). Reporting includes individual breaches that includes inappropriate access by individuals for any reason. The reporting period is within 12 months of the identified breach. Additional notification requirements include immediate notification of individuals whose PHI is compromised. Companies cannot wait to notify patients of the breach until they notify the OCR. Notification by first class mail or by email is required for each individual record that is involved.

If the healthcare entity has outdated contact information for at least ten individuals, the entity must post the breach on its website for at least 90 days from the date of discovery of the breach. Outdated information includes bad phone numbers, bad emails, and any other information that does not allow the healthcare company to immediately contact the patient. Alternatively, the healthcare entity can post in a major publication about the breach, along with a toll-free number for patients to contact the healthcare company about the breach to see if their information was compromised.

Breaches of 500 or more records require a different response. In the case of a breach that involves 500 or more records, whether from internal or external sources, the company (whether a CE or BA) must respond with individual notifications to each patient whose information was breached along with the responses stated above. Additionally, breaches of PHI at this level require notification, within 60 days, to the OCR and HHS via the HHS Web site.

Requirements of Business Associates who store, process, or transmit PHI for a Covered Entity (CE) include breach notification, which is included in the Business Associate Agreement (BAA) that is signed with either the CE or BA with which the company is doing business. Breach notification is required of all CEs or BAs following the OCR/HHS requirements; in addition, BAs must file a report based on what their BAA with the Covered Entity states and requires. Usually, a CE requires their Business Associates to report breaches in a timely fashion to them, but they may also require the BA to report themselves. In addition, they usually require the BA to pay for the cost for the remediation of said breaches.

Breach response is the requirement of the CE, but ultimately, the responsibility for how a BAA reports a breach is typically outlined in the requirements in the BAA that is signed with the CE.  For all Covered Entities, the responsibilities for reporting breaches should be spelled out in the BAA to ensure that the reporting, costs, and responsibilities for any breaches are known up front.