As more healthcare organizations face the overwhelming prospect of dealing with data breaches, they will have to become intimately familiar with the HIPAA Breach Notification Rule. According to a recent article on HealthITSecurity, here's what you should to know:
The HIPAA Breach Notification rule requires that covered entities and business associates (BA’s) provide notification to individuals, regulators and the media following a breach of protected health information (PHI). According to HHS, a breach is an “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
Conducting a thorough risk assessment
When a breach is suspected, HHS advises that covered entities conduct a risk assessment to determine the probability that the PHI has been accessed by an unauthorized person or persons. Your organization will need to assess:
•Whether the PHI was acquired or viewed
•The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
•The identity of the unauthorized person(s) who used the PHI or to whom the disclosure was made
•The extent to which the risk to the PHI has been mitigated by the covered entity
While not required, performing a risk assessment whenever an organization suspects a breach is a good idea.
Who Should Be Notified and When?
HHS requires three types of entities to be notified in the case of a PHI data breach: 1) individual victims, 2) media and 3) regulators. The covered entity must notify those affected by the breach of unsecured PHI within 60 days of discovery of the breach. The notification deadline can be modified if law enforcement needs more time to investigate the breach and disclosure would impede the investigation.
According to HHS, the notification needs to include the following information:
•Description of the breach
•Description of the types of information involved in the breach
•Steps breach victims should take to protect themselves from harm
•Description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
•Contact information for the covered entity
The covered entity must send this notification by first-class mail or email. If the covered entity has out-of-date or incomplete contact information for ten or more victims, it must post a notice on its home page for at least 90 days or provide a notice to major print or broadcast media where victims likely reside. In addition, the covered entity must set up a toll-free number that remains active for at least 90 days where victims can get information about the breach.
If a covered entity experiences a breach affecting more than 500 residents of a state or jurisdiction, it is required to notify prominent media outlets in that state or jurisdiction within 60 days of the breach’s discovery. The notification should be in the form of a press release and contain the same information that is required for notifying individuals.
Finally, a covered entity needs to inform OCR about a breach of unsecured PHI. If the breach impacts 500 or more individuals, the covered entity must notify OCR within 60 days following breach discovery. It the breach affects fewer than 500 individuals, a covered entity can notify OCR on an annual basis. This annual report is due to OCR no later than 60 days after the end of the calendar year in which the breaches were discovered.
Concerned about a possible data breach? Contact HIPAAcraticRx to arrange for a thorough risk assessment.