HIPAA covered entities and their business associates are required provide notification following a breach of unsecured protected health information (PHI).
The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). The notice must be sent to the involved individuals as soon as reasonably possible but no later than 60 days after discovery of the breach. (45 CFR § 164.404).
Do I need to report it?
The timing of notice to HHS depends on the number of persons affected by the breach. If the breach involves 500 or more persons, the covered entity must notify HHS at the same time it notifies the individuals and it must also be reported to the media. If the breach involves less than 500 persons, the covered entity must report the breach to HHS no later than 60 days after the end of the calendar year in which the breach(s) were discovered (i.e. March 1, 2019 for breaches that occurred during 2018).
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.
There are three exceptions to the definition of “breach.”
- The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
- The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
- The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.
Documentation. A covered entity is required to maintain documentation concerning its breach analysis and/or reporting for six years. (45 CFR §§ 164.414 and 164.530(j)).
Accounting Logs. Whether or not the breach is reportable to the individual or HHS, covered entities and business associates are still required to record impermissible disclosures in their accounting of disclosure log(s) as required by 45 CFR § 164.528. The log must record the date of the disclosure; name and address of the entity who received the PHI; a brief description of the PHI disclosed; and a brief statement of the reason for the disclosure. (45 CFR § 164.528(b)). If requested, the covered entity must disclose the log to the individual or the individual’s personal representative within 60 days. (Id. at 164.528(c)).
Avoid Reports by Avoiding Breaches. Of course, it is better to avoid a breach rather than respond to one. To that end, covered entities and business associates should ensure that they practice preventive medicine by, among other things, encrypting PHI when possible and implementing other required policies and administrative, technical, and physical safeguards to protect PHI. They should train and regularly remind workforce members concerning HIPAA obligations, periodically monitor compliance, and respond promptly to correct weaknesses.
Submitting a Notice of Breach to the HHS Secretary:
Submit a Notice for a Breach Affecting Fewer than 500 Individuals (March 1, 2019 Deadline)
If you have any questions, you may call HHS OCR toll-free at: 1-800-368-1019, TDD: 1-800-537-7697 or send an email to OCRPrivacy@hhs.gov.
Visit the "Wall of Shame" to View a list of Breaches Affecting 500 or More Individuals
Important Note: Remember that while it may be relatively unlikely that not reporting small breaches will automatically invite an HHS investigation, if a non-reported breach or a trend of violations IS discovered, this could lead to a judgment of "Willful-Neglect", magnifying penalties and fines dramatically!
Sources(s): https://www.hcsiinc.com, https://www.hhs.gov/hipaa/for-professionals/breach-notification, http://www.hhhealthlawblog.com, https://www.ama-assn.org