In accordance with the HIPAA Breach Notification Rule, covered entities are required to notify patients (and the relevant authorities) when their protected heath information (PHI) has been compromised in such a way that puts their privacy at stake. If a patient’s PHI is used or disclosed in an impermissible manner it is presumed to have been breached, unless the covered entity is able to demonstrate that there is a “low probability” that the PHI has been compromised. To determine whether the use or disclosure of a patient’s PHI meets HIPAA’s “low probability of compromise” threshold, there are 4 factors that should be to be taken into consideration:
- The type of PHI that was involved and whether it can be used to identify the patient
- Who the PHI was disclosed to
- Whether the PHI was actually accessed/viewed by an unauthorized party
- The extent to which the risk to the PHI has been mitigated
If the covered entity fails to demonstrate that there is a “low probability of compromise”, they must notify the affected patients and the U.S. Department of Health & Human Services (HHS) as soon as possible.
NOTE: Business associates of a covered entity are also subject to the HIPAA Breach Notification Rule.
When Should the Covered Entity Notify the Patients/Authorities?
As soon as a covered entity has discovered a breach, they must inform the relevant parties “without unreasonable delay”, or up to 60 days following the date of discovery. If the breach involves the unsecured PHI of more than 500 individuals, the covered entity must notify the relevant media outlets, in addition to the HHS. If the breach involves fewer than 500 individuals, the covered entity must maintain a log of the relevant information and notify the HHS within 60 days after the end of the calendar year via the HHS website.
NOTE: The HIPAA Breach Notification Rule only applies to “unsecured PHI”. As such, if the breached PHI is encrypted/redacted in such a way as to make it unreadable/unusable, the covered entity is not required to report it – assuming the decryption key was not also disclosed.
What are the Consequences of Failing to Report a Breach? How to Report a PHI Breach
A failure to comply with the HIPAA Breach Notification Rule could result in a significant financial penalty. The maximum penalty for a HIPAA Breach Notification Rule violation is $1,500,000, or more if the delay is for more than 12 months.
How to Report a PHI Breach
When a covered entity experiences a breach of PHI, they are required to notify the individuals impacted by the breach, the HSS, the media, and in some cases. they are required to post a breach notification on their home page. In all cases they must provide information about what happened, the information that was compromised, and an explanation about what they are doing (or plan to do) in response to the breach. This should also include information about how they plan to prevent breaches in the future. They must also provide clear instructions to those affected, including information about what they can do to limit the amount of harm caused. Breach victims should also be given a toll-free number to call for further information, as well as the breached entity’s email address and postal address.
Notifying the affected individuals: The covered entity should send a breach notification letter to all breach victims by first class mail. If they do not have an up-to-date address for the victim(s), they can contact them via email – assuming they have been authorized to do so.
Notifying the Department of Health and Human Services: Breach notifications must be sent to the Secretary of the Department of Health and Human Services, via the Office for Civil Rights breach reporting tool.
Notifying the media: As mentioned, if the breach involves the unsecured PHI of more than 500 individuals, the covered entity must notify the relevant media outlets. Notifying the media will help to ensure that all breach victims are made aware of the potential exposure of their personal data.
As also mentioned, in some cases the covered entity will be required to post a breach notification on their home page. However, this is only necessary in situations where they do not have up-to-date contact information on 10 or more affected individuals. The breach notification (or link to the notification) must be clearly visible, and should remain visible for a period of 90 consecutive days.
NOTE: Some U.S. states have their own breach notification laws, and in some cases, the breach notifications requirements are even stricter than the HIPAA requirements. As such, you will need to check with your local authorities about what the rules are in your state.
How can Lepide Help with Your HIPAA Report Notification?
As always, prevention is better than a cure. The Lepide Data Security Platform can detect, alert and respond to unauthorized changes made to your PHI. It will also allow you to generate pre-defined HIPAA audit reports at the click of a button. The built-in data discovery and classification tool will automatically scan your repositories for PHI, and classify the data accordingly, thus making it easier to assign the appropriate access controls and keep track of how your PHI is being used and shared.
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your PHI and simplify the process of generating a HIPAA breach report, schedule a demo with one of our engineers.