The HIPAA Breach Notification Rule: Your Responsibilities
HIPAA protects patient information’s privacy and sets standards for how covered entities and their business associates should handle any impermissible use of information.
Do you understand your role as a covered entity if patient information is compromised? Read on to learn more! You should also check out our full training on HIPAA, a video-based course.
Table of Contents
The HIPAA Breach Notification Rule, Summarized
The HIPAA Breach Notification Rule is in place to help consumers keep their personal health records private. The rule requires that HIPAA-covered entities report any breach of unsecured protected health information or PHI.
What is protected health information? It refers to information in the medical records that can identify a patient. It includes:
- The patient’s full name, address, or identifiable contact information.
- The patient’s social security number.
- Full-face photographs and biometric data.
- Other personally identifiable information like the VIN of a patient’s vehicle or the IP address of the patient’s computer.
Aggregated medical data, like for a clinical trial, is not considered unsecured protected health information since any personal identifiers are removed.
What Constitutes a Data Breach?
A breach refers to an “impermissible use or disclosure” of unsecured protected health information. This can be data accessed by an unauthorized person, whether an employee or a third party. It could also be ransomware or other cyber attack.
The text of the rule contains a several-factor risk assessment to see if a security incident qualifies as a data breach. These factors include:
- The likelihood that there will be re-identification through the PHI accessed
- Who accessed the PHI and their role in the covered entity or business associate?
- Whether the PHI was viewed or downloaded.
- How significantly you’ve mitigated the PHI access?
The rule is written to assume impermissible use or disclosure of PHI is a data breach unless your organization’s risk assessment can demonstrate otherwise.
You will also need to assess how many people were affected. Breaches affecting fewer people generally carry less rigorous reporting requirements.
What Are the 3 Exceptions to the Definition of Breach?
Not all unauthorized or impermissible use or disclosure of PHI qualifies as a breach. There are three main exceptions:
- Unintentional Access/Use – Known as the “good faith belief” exception, this occurs when an authorized person mistakenly accesses PHI in the course of their job duties.
- Inadvertent Disclosure is when an authorized person in the covered entity or business associate accidentally shares PHI with another authorized individual.
- Inability to Retain – If an unauthorized person accesses PHI but is unable to retain it, it doesn’t qualify as a data breach. If a patient file is open on the computer in an exam room, but an unauthorized person doesn’t notice it, it may not be a breach.
What Are Covered Entities and Business Associates?
A covered entity refers to organizations directly covered by HIPAA. Covered entities, healthcare plans, healthcare clearinghouses, and providers are examples.
Business associates are firms employed by a covered entity that may need to access or could inadvertently access PHI.
The tasks a business associate performs vary. They could be an IT firm with access to PHI on a clinic’s server or a lawyer who may need to access PHI as part of legal representation.
A covered entity must have a BAA, or business associate agreement, with all of its business associates. This agreement should outline the privacy standards and training the business associate has.
The agreement should also outline the notice the covered entity requires from the business associate to ensure the HIPAA breach notification is given within the required timeline.
When to Notify Covered Entities
After you have performed your risk assessment, how do you notify affected individuals?
As a covered entity, you have three main responsibilities when it comes to providing breach notifications.
HIPAA says a covered entity must notify anyone reasonably believed to have had their PHI accessed “without unreasonable delay” or within 60 days of the discovery of the breach. Your state law may have an even shorter timeline for breach notifications.
You must send a HIPAA breach notification letter through first-class mail explaining, in plain language:
- A brief description of how the HIPAA breach occurred and how the protected health information involved was accessed.
- What information was exposed to unauthorized persons or taken?
- A brief description of what the covered entity or business is doing to mitigate harm to the victims.
- How the victims can protect themselves from harm (i.e., Getting a credit report or updating passwords).
- A toll-free phone number, physical address, and email address victims can contact for more information.
The first-class mail should be sent to the patient’s last known address. Such notices may be sent by email instead if a victim has opted into electronic communication.
You must also inform the HHS (Department of Health and Human Services) about data breaches, though the exact timeline depends on the number of affected individuals.
In the event of a breach affecting over 500 people, Covered entities must follow the same 60-day timeline for notifying HHS. Where a breach affects fewer than 500 patients, you need to let the HHS know within 60 days of the end of the calendar year when the breach was discovered.
Covered entities can report a breach through the HHS website.
Many covered entities follow the other HIPAA breach notification requirements but neglect to make a media notification, as the rule requires
For data breaches that affect more than 500 people, you must report the breach to prominent media outlets serving the area where breach victims reside. The media notice must be given “without unreasonable delay” or within 60 days of discovery of the breach.
Appropriate media outlets include major print publications or broadcast media outlets serving the geographic location where victims are thought to live. Blogs and social media typically don’t qualify as prominent media outlets, though a covered entity may also choose to use them for additional notification.
A press release sent to the media should contain most or all of the information contained in the individual notices.
Provide Substitute Individual Notice
Should a covered entity not have current address information and be unable to provide individual notices for 10 or more affected people, they must post a substitute breach notice on their website. This substitute notice should be prominent and easily accessible through the organization’s home page.
This notice must remain on the site for 90 consecutive days.
In cases where a covered entity lacks address info on fewer than ten people, substitute individual notice may be given through telephone calls or a written notice posted at the organization.
Timeline to Provide Notice
With breach notification rule requirements, the number to remember is 60. For data breaches involving more than 500 people, you must let affected individuals, the HHS, and the media know within 60 days of discovering the breach.
However, you may have an even shorter notice period with such breaches, depending on state law.
Requirements for a HIPAA Business Associate
A covered entity must obtain a written agreement from a business associate outlining how to ensure proper privacy protection. This agreement should also outline what a business associate will do if a breach occurs.
There should be a timeline for the business associate to notify covered entities in case of a breach. HIPAA only mandates that the business associate notify the covered entity within 60 days, though most agreements have a shorter timeline of closer to 15 days.
You may want to establish a review period with an associate so you don’t miss any reporting deadlines around the end of the calendar year.
A covered entity must take reasonable steps to protect PHI, mitigate harm, and prevent further breaches. This may involve terminating the contract with a business associate that doesn’t abide by the written agreement.
The covered entity is ultimately responsible for any unauthorized access to protected health information or breach of unsecured data.
State Law for Unsecured Protected Health Information
State law may set regulations and breach notification requirements above and beyond HIPAA for a covered entity or business associate.
For instance, in California, patients must give specific authorization before PHI is shared with business associates.
Colorado requires breach notifications be sent to affected individuals and the state attorney general within 30 days.
Covered entities and business associates need to make sure that they are following state law in addition to what HIPAA requires.
Current and Future Changes to HIPAA Breach Notification Requirements
Updates to HIPAA took effect in the beginning of 2023. These changes require a covered entity to verify the identity of someone asking for PHI. Covered entities also have a broadened scope for disclosing PHI in the event of a threat to patient or community health and safety.
Several bills before Congress have also proposed shortening the notification rule in case of a cyberattack. While nothing has passed into law as of yet, covered entities and business associates need to keep abreast of any changes to the HIPAA breach notification rule.
Penalties for Violation of Breach Notification Requirements for a Covered Entity
Penalties for HIPAA violations can vary quite a bit depending on the harm caused, the presence or absence of malicious intent, and the mitigation actions taken. Violations can be administrative, civil, or criminal.
Administrative violations are generally the least serious and are investigated by the Centers for Medicare and Medicaid Services (CMS). Though CMS has the authority to assess fines, they have only issued corrective actions as of 2023.
The minimum fine for a civil HIPAA violation is $127 for every violation and the maximum fine for breaking the breach notification rule is $1,500,000. The fee could be even higher if the covered entity waited more than 12 months to report the breach.
For an administrative or civil violation, you will likely be required to show what your organization is doing to prevent future breaches.
Civil violations are investigated by the HHS Office for Civil Rights (OCR). If the OCR feels an offense rises to the criminal level, they refer it to the Department of Justice for potential prosecution.
The minimum fine for a criminal violation is $50,000 and can rise as high as $250,000. Covered entities may also need to make restitution to the victims. Individuals charged may face jail time of up to 10 years.
The Federal Trade Commission (FTC) has similar requirements for vendors and third-party service providers to provide notice in the event of a breach of unsecured protected health information.
Keep Up to Date on HIPAA
HIPAA-covered entities need to understand the ins and outs of the rules, stay abreast of any changes, and develop a breach notification process. Dealing with unsecured protected health information isn’t easy.
Ensure you and your business associates stay on top of HIPAA and receive constant training.
The three types of violations are administrative, civil, and criminal. Administrative is the least serious and is typically handled by corrective action, while civil sanctions can involve fines, and criminal ones can involve both fines and jail time.
Data breaches are reportable events that may or may not be because of a violation. Violations are not reportable in the same way.
Under the exceptions regarding breaches, a “good faith belief” generally requires an individual acting within the scope of their duties to commit an error while carrying those duties out.
Covered entities must provide individual notice to people affected by a breach without unreasonable delay (within 60 days unless another state rule applies). This notification should contain information on what happened, what personal information was exposed, and how the covered entity is working to mitigate harm. You must also provide substitute notice to people you do not have a current address for. This is often a notice on your website.
It will be investigated after you report a breach to the Department of Health and Human Services. You may or may not be found to have violated HIPAA.