How to Handle Breach Notifications
Now this is a situation you hope never to find yourself in. But it is always best to be prepared. So, how do you move forward after a breach and handle notification of affected parties?
Under the HIPAA Breach Notification rule, covered entities, following a breach of unsecured protected health information, must provide notification of the breach to affected individuals. Covered entities must provide notification, by providing notice of a breach of unsecured PHI in written form, by first-class mail, or, alternatively, by email, if the individual affected by the breach has agreed to receive such notices electronically.
If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide breach notification by substitute individual notice. Substitute individual notice may be made by one of the following methods:
Posting the notice on the home page of its web site for at least 90 days
Providing notice in major print or broadcast media where affected individuals likely reside
The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach.
The notice must include the following:
A brief description of the breach
A description of the types of information that were involved in the breach
The steps affected individuals should take to protect themselves from potential harm;
A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
Contact information for the covered entity
How to Handle a Breach as a Business Associate
While the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to notify the individual.
Covered entities are also required to comply with certain administrative requirements with respect to breach notification. For example, covered entities must:
Maintain written policies and procedures regarding breach notification;
Train employees on these policies and procedures; and
Develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.