A Breach in the Hull: HIPAA Breach Notification Requirements

If health information is compromised, do you know your organization’s responsibilities related to breach notification of electronic protected health information (ePHI)?  The responsibilities of your organization for breach notification depends on a few items, including:

  • Whether you are a covered entity or a business associate
  • The timing of when the breach occurred and when the organization became aware of the breach
  • The extent of the breach

Covered Entity vs Business Associate

A covered entity is one of three organizations, including 1) health plans, 2) health care clearinghouses, or 3) certain health care providers.  An organization that does not fall into one of these three categories of a covered entity, but performs activities that involve ePHI, would be considered a business associate.  A “business associate” is an organization that performs activities that involve the use or disclosure of ePHI on behalf of, or provides services to, a covered entity.

One of the requirements of the HITECH Act includes considerations related to breach notification.  HITECH requires that, when a breach occurs, covered entities and their business associates provide notification of the breach related to unsecured ePHI.

A breach is defined in the Breach Notification Rules as any impermissible use or disclosure that compromises the security of the protected health information.  Following a breach, the covered entity or business associate must notify the affected individual, the Secretary, and, in some cases, the media.  Notification must be in written form (first class mail) or by email if the individual has agreed to receive such notices electronically.

Timing of the Breach

The breach notification must occur without reasonable delay, but no later than 60 days following the discovery of the breach.  The notification must include the following items:

  • A brief description of the breach
  • The types of information that were involved in the breach
  • What individuals can do to protect themselves against potential threats due to the breach
  • What the covered entity or business associate is doing to investigate the breach, minimize the impact, and prevent further breaches
  • Contact information for how individuals can reach the covered entity or business associate

Extent of the Breach

If the breach affects more than 500 individuals, the entity must also provide a news release of the breach to the appropriate media outlets where the affected individuals live.  If a breach occurs to the business associate, they are required to notify the covered entity, along with the names of the individuals that were affected by the breach.

Business associates must also review and understand any Business Associate Agreements (BAA) they have signed with covered entities and/or other BAA’s.  Additional reporting considerations may be included in the BAA and must be met according to the contractual agreements.

Mechanisms to have in Place related to Breaches

To reduce the risk of ePHI from being compromised through a breach, organizations should implement the safeguards as defined by HIPAA and have robust intrusion detection and monitoring systems actively inspecting the systems that protect the ePHI.  In addition to intrusion prevention, organizations should have incident response plans in place, which should include detailed plans and assigned responsibilities for any incident.  With an incident response plan in place, there should also be appropriate training for those responsible for executing the plan.

Would you like to learn more about the requirements for a breach notification related to protected health information? 

Contact us today at [email protected] or call 1-888-702-5446