The Health Insurance Portability and Accountability Act of 1996 is one of the most important pieces of legislation in recent years in regard to the healthcare industry. In spite of its importance, many healthcare providers and insurers remain unaware of many HIPAA obligations and rules. The HIPAA Breach Notification Rule is one of the rules to which most healthcare organisations remain ignorant.
In recent months, experts and healthcare professionals have voiced their criticism of healthcare providers and insurance companies in regarding the speed at which individuals affected by data breaches are notified that their healthcare data and personal information has been stolen, lost or divulged to an unauthorized individual.
In particular, 2015 has seen a massive surge in the number of HIPAA data breaches recorded. As a response to this, we have prepared a summary of the important elements of the Breach Notification Rule to help healthcare organizations respond quickly to data breaches and stay HIPAA-compliant.
The HIPAA Breach Notification Rule: an Overview
HIPAA Rules set the standards in the healthcare industry to which healthcare providers and other covered entities must reach. The aim of these rules is to reduce the chance of highly confidential patient data being exposed. In spite of employing the most sophisticated data security systems, it is still possible for unauthorized individuals to access computer systems and obtain valuable patient information. There is a large market for this data on the blackmarket, and thus the temptation to ignore HIPAA regulations can be overwhelming.
If your organization has suffered a data breach, the steps that must be taken depend on the nature of the data compromised and the number of people affected. A summary of a few different types of breaches based on the number of those affected is below.
Breaches Affecting More than 500 Individuals
The Department of Health and Human Services’ Office for Civil Rights must be notified without unnecessary delay if a data breach occurs which exposes the PHI of more than 500 individuals. It is expected that they be notified at most 60 days after the discovery of the breach. The OCR Breach reporting web portal should be used to notify them of the breach. Breach Notification letters must also be sent to all affected individuals explaining the nature of the data that was taken in the breach.
Furthermore, a prominent media source serving the state in which the victims are located must be alerted to a data breach affecting more than 500 individuals. As above, the notice must be issued within 60 days of discovery of the breach.
According to HIPAA, it is not mandatory to post information relating to the breach on the company website for all breaches. However, if more than 10 individuals cannot be contacted due to incomplete contact information or if there is out of date contact information, a notice must be posted prominently on the company website for a period of 90 days following the breach. If this method of notification is not chosen, the organization must publish the information via major print and broadcast media. A Toll free telephone number must also be provided to allow breach victims to get in touch with any questions regarding the PHI that was stolen.
Breaches Affecting Fewer than 500 Individuals
Data breaches involving fewer than 500 individuals require notifications to be sent to all affected individuals without unreasonable delay, and within 60 days of the discovery of the breach. In the case of this smaller breach, the media does not need to be informed. This includes cases in which Social Security numbers and healthcare data are part of the information compromised.
The Department of Health and Human Services’ Office for Civil Rights must be notified of all sub-500-record data breaches within 60 days of the start of the new calendar year.
Business Associates Responsible for Data Breaches
Any Business Associate (BA) that discovers they have been the cause of a breach of PHI must notify the covered entity (CE) of the incident no later than 60 days after the discovery of the breach. Efforts should be made to identify the individuals affected as well as the data that was compromised in the incident.
Breach Notification Letters
When a breach does occur, all CEs, including their BAs, are required to notify all affected individuals that their Protected Health Information has been exposed. This must be done regardless of the nature of the breach, whether it be a hacking incident, a lost laptop or Smartphone, or any other device that contained unencrypted PHI. The Breach Notification Rule also applies to paper records, x-ray films and all other physical records containing PHI. The loss, theft or disclosure of these records also requires the affected individuals to be notified.
Breach notification letters must be sent via first class post. If individuals have agreed to receive communications via email, the notification letters may be sent via the Internet. The notification letters must include details of the breach, the information that was potentially exposed, a description of the actions taken by the company in response to the breach, information on the efforts made to mitigate damage or loss and the actions which can be taken by individuals to mitigate risk.
Healthcare providers, Health Plans, Business Associates or other covered entity must send the notification letters if they can show that there is a risk that PHI has been viewed, or could potentially be viewed. There is no obligation to complete a risk assessment before sending the notification letters, although the decision not to send notification letters should only be made after a thorough risk assessment has been performed.
An appropriate risk assessment must address the following issues:
• The type of data exposed and the likelihood of a patient or plan member being identified from the data
• The person who has accessed the data and to whom they have disclosed information
• The probability of PHI being accessed, viewed and/or shared
• The extent to which any potential damage has been mitigated
If a portable device or desktop computer has been lost or stolen, it is only considered a HIPAA breach, and therefore only requires breach notification letters to be sent, if the PHI contained on the device, or accessible through it, is unencrypted. In the case of loss or theft of encrypted devices, breach notification letters only need to be sent if the security key was also lost or stolen.
Password protection is not the same as data encryption. In the case of loss or theft of devices containing password protected PHI, breach notifications will still need to be issued as described above.
Documentation of Actions Taken
All CEs must maintain a record of the actions taken following a breach, as these may be required by OCR auditors. Details of the breach notification letters that have been sent must be recorded, along with evidence that they have indeed been sent.
If breach notification letters are deemed not to be necessary, the reason for this decision, along with evidence to support it, must be documented.