HIPAA Breach Notification Rule

When you think healthcare and cybersecurity, the first things that come to mind are probably HIPAA, or WannaCry. And that’s for good reason – almost half of all ransomware incidents reported last year targeted healthcare companies.

It’s ongoing healthcare cyber events like these that are making the HIPAA Breach Notification Rule more important than ever before. It’s not just a hypothetical – you need to know what’s expected of you in the event that you experience a breach.

Are you confident that you do?

What Is The HIPAA Breach Notification Rule?

According to the AMA

“HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured protected health information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI.

An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised.”

In layman’s terms, this rule details who you must notify, and how, in the event that your patients’ PHI is breached. It could be a matter of making a public announcement on your website, or reporting to the media, or issuing breach notification letters to Business Associates.

What Is Your First Move When You Suspect A Breach Has Occurred?

The first step you need to take is to determine the extent of the breach, and specifically, whether any PHI was accessed. There is always the chance that, due to your security measures in place, or the ability of the malicious third party, no PHI was accessed or exposed during a breach. If that’s the case, then the breach notification rule does not apply.

The best way to find out for sure is to conduct a risk assessment, which needs to determine:

    • Whether your PHI was acquired or viewed
    • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
    • The identity of the unauthorized person(s) who used the PHI or to whom the disclosure was made
    • The extent to which the risk to the PHI has been mitigated by the covered entity

With this information, you can then figure out your next step – if PHI was breached, then you know you’re subject to the breach notification rule…

What About Notification?

In the event that PHI has been breached, you’ll then need to figure out who needs to be notified, in what manner, and within what timeline.

The three entities you’ll be notifying include:

    • Victims
    • Media
    • Regulators

The baseline rule is that those affected by the breach must be informed of it within 60 days of when you became aware of it.

However, this timeline can be affected – for example, if law enforcement requires additional time to investigate, and it is determined that notification would impede their efforts, the deadline can be modified.

What Does The Notification Need To Include?

Sent by first-class mail or email, the notification must include:

    • Description of the breach
    • Description of the types of information involved in the breach
    • Steps breach victims should take to protect themselves from harm
    • Description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
    • Contact information for the covered entity

However, if you have out of date or incomplete contact info for 10 or more victims, you must post the notification to your website for 90 days, and set up a toll-free number which victims can call for further information.

If the breach affects more than 500 victims, you must notify prominent media outlets in the state in which those victims are likely to reside.

Lastly, when it comes to regulators, you must notify OCR according to the number of victims:

    • Fewer than 500 victims: OCR must be notified on an annual basis
    • More than 500 victims: OCR must be notified within 60 days of discovery

What About Business Associates?

The contract between you and any Business Associates needs to detail which entity is responsible for notification. While it is ultimately your responsibility, you may have a Business Associate Agreement that states otherwise. There are also cases in which the responsibility is shared.

What’s The Best Way To Avoid A Breach?

So far we’ve only talked about what to do when you discover a breach has occurred. While it’s important that you understand these processes, and assume that you’ll likely experience a breach some point, it’s also prudent to talk prevention.

The best way to protect your PHI is with encryption. In layman’s terms, encrypted data is formatted in a secret code that would be meaningless if intercepted. It is one of the most efficient ways to secure a database given that decryption can only occur through a key, which is essentially a “secret password”. In this case, there is a need for updated encryption software to ensure that private information is only accessible through the database program.

Encryption technology is a great way to protect important data. By making data unreadable to anyone who isn’t supposed to have access to it, you can secure files stored on your systems, servers, and mobile devices, as well as files sent via email or through file-sharing services.