What are the HIPAA Breach Notification Requirements?
The HIPAA breach notification requirements are important to know if an organization creates, receives, maintains, or transmits Protected Health Information (PHI). Additionally, the organization must develop a breach response plan that can be implemented as soon as a breach of unsecured PHI is discovered.
While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Business associates that have only just started providing a service to Covered Entities may similarly be unsure of the reporting requirements and actions that must be taken following a breach.
The issuing of notifications following a breach of unencrypted PHI is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty in additional to that impose for the data breach itself. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and business associates.
Summary of the HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – requires covered entities to report breaches of unsecured electronic protected health information and physical copies of protected health information. A breach is defined as the acquisition, access, use, or disclosure of unsecured protected health information in a manner not permitted by HIPAA Rules.
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
According to the HHS´ guidance on the HIPAA Breach Notification Rule, an impermissible use or disclosure of unsecured protected health information is presumed to be a breach unless the covered entity or business associate demonstrates there is a low probability the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
HIPAA breaches include unauthorized access by employees as well as third parties, improper disclosures, the exposure of protected health information, and ransomware attacks. Exceptions include: Breaches of secured protected health information such as encrypted data when the key to unlock the encryption has not been obtained; “any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure;” An inadvertent disclosure by a person who is authorized to access PHI, to another member of the workforce at the organization who is also authorized to access PHI; When the covered entity or business associate makes a disclosure and has a good faith belief that the information could not have been retained by the person to whom it was disclosed.
In the event of a reportable HIPAA breach being experienced, the HIPAA breach notification requirements are:
Notify Individuals Impacted – or Potentially Impacted – by the Breach
All individuals impacted by a data breach, who have had unsecured protected health information accessed, acquired, used, or disclosed, must be notified of the breach. Breach notifications are also required for any individual who is reasonably believed to have been affected by the breach.
Breach notification letters must be sent within 60 days of the discovery of a breach unless a shorter breach notification timeframe exists under state law or a request to delay notifications has been made by law enforcement. While it is permissible to delay reporting of a breach to the HHS for breaches impacting fewer than 500 individuals (see below), that delay does not apply to notifications to breach victims. Breach notification letters should be sent by first class mail to the last known address of breach victims, or by email if individuals have given authorization to be contacted electronically.
The HIPAA breach notification requirements for letters include writing in plain language, explaining what has happened, what information has been exposed/stolen, providing a brief explanation of what the covered entity is doing/has done in response to the breach to mitigate harm, providing a summary of the actions that will be taken to prevent future breaches, and giving instructions on how breach victims can limit harm. Breach victims should also be provided with a toll-free number to contact the breached entity for further information, together with a postal address and an email address.
Notify the Department of Health and Human Services
Notifications must be issued to the Secretary of the Department of Health and Human Services, via the Office for Civil Rights breach reporting tool. The HIPAA breach notification requirements differ depending on how many individuals have been impacted by the breach.
When the breach has impacted more than 500 individuals, the maximum permitted time for issuing the notification to the HHS is 60 days from the discovery of the breach, although breach notices should be issued without unnecessary delay. In the case of breaches impacting fewer than 500 individuals, HIPAA breach notification requirements are for notifications to be issued to the HHS within 60 days of the end of the calendar year in which the breach was discovered.
Notify the Media
HIPAA breach notification requirements include issuing a notice to the media. Many covered entities that have experienced a breach of protected health information notify the HHS, relevant state attorneys general, and the patients and health plan members impacted by the breach, but fail to issue a media notice – a violation of the HIPAA Breach Notification Rule.
A breach of unsecured protected health information impacting more than 500 individuals must be reported to prominent media outlets in the states and jurisdictions where the breach victims reside – See 45 CFR §§ 164.406. This is an important requirement, as up-to-date contact information may not be held on all breach victims. By notifying the media, it will help to ensure the maximum number of breach victims possible are made aware of the potential exposure of their sensitive information. As with the notifications to the HHS and breach victims, the media notification must be issued within 60 days of the discovery of the breach.
Post a Substitute Breach Notice on the Home Page of the Breached Entity’s Website
In the event that up-to-date contact information is not held on 10 or more individuals that have been impacted by the breach, the covered entity is required to upload a substitute breach notice to their website and link to the notice from the home page. The link to the breach notice should be displayed prominently and should remain on the website for a period of 90 consecutive days. In cases where fewer than 10 individuals’ contact information is not up-to-date, alternative means can be used for the substitute notice, such as a written notice or notification by telephone.
Data Breaches Experienced by HIPAA Business Associates
One often overlooked area of the HIPAA Security Rule in that Business Associate Agreements must stipulate that all security incidents must be reported by a business associate to a covered entity whether they result in a data breach or not (see 45 CFR §164.314(a)(2)(i)).
If a security incident does result in a breach of unsecured PHI, it must be reported to the covered entity within 60 days of the discovery of a breach. While this is the absolute deadline, business associates must not delay notification unnecessarily. Unnecessarily delaying notifications is a violation of the HIPAA Breach Notification Rule.
It is usually the covered entity´s responsibility to issue breach notifications to affected individuals, so any security incidents reported to the covered entity need to include details of the individuals impacted. It is a good practice to alert covered entities to security incidents rapidly to prevent avoidable delays in notifying individuals.
There may be exceptions to the above processes if, for example, a business associate experiences a data breach while providing a service to multiple covered entities and if each Business Associate Agreement stipulates it is the business associate´s responsibility to issue breach notifications to individuals and HHS´ Office for Civil Rights. Nonetheless, in these circumstances it would still be necessary to advise each covered entity of the security incident that resulted in the data breach.
Timeline for Issuing Breach Notifications
Breach notifications should be issued as soon as possible and no later than 60 days after the discovery of the breach, except when a delay is requested by law enforcement. Investigating a breach of protected health information can take some time, but once all the necessary information has been obtained to allow breach notifications to be sent, they should be mailed.
HIPAA-covered entities must not delay sending breach notification letters. It is possible to receive a HIPAA violation penalty for delaying notifications, even if they are sent within 60 days of the discovery of the breach. There have been several recent cases of HIPAA breach notification requirements not being followed within the appropriate time frame, which can potentially result in financial penalties.
State Breach Notification Laws May Be Stricter than HIPAA
Most U.S. states have breach notification laws. Typically, notifications must be issued to breach victims promptly and a notice also submitted to the state attorney general’s office; and although many state breach notification laws exempt covered entities, they may not exempt business associates from providing breach notifications. In such cases, some states require breach notifications to be issued well within the HIPAA deadline.
Delaying breach notifications until the 60-day limit of HIPAA could well see state laws violated, leading to financial penalties from state attorney generals. State laws frequently change so it is important to keep up to date on breach notification laws in the states in which you operate.
Penalties for Violations of HIPAA Breach Notification Requirements
HIPAA covered entities must ensure the HIPAA breach notification requirements are followed or they risk incurring financial penalties from state attorneys general and the HHS’ Office for Civil Rights.
In 2017, Presense Health became the first HIPAA-covered entity to settle a case with the Office for Civil Rights solely for a HIPAA Breach Notification Rule violation – after it exceeded the 60-day maximum time frame for issuing breach notifications. Presense Health took three months from the discovery of the breach to issue notifications – A delay that cost the health system $475,000. The maximum penalty for a HIPAA Breach Notification Rule violation is $1,500,000, or more if the delay is for more than 12 months.
Responding to a Healthcare Data Breach
HIPAA Breach Notification Requirements FAQs
What is the difference between a HIPAA breach and a HIPAA violation?
The difference between a HIPAA breach and a HIPAA violation is that a HIPAA breach is when unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted by the Privacy Rule. A HIPAA violation occurs when a Covered Entity, Business Associate, or a member of the workforce fails to comply with any standard in the Privacy, Security, or Breach Notification Rules. It is not necessary for a breach to occur in order for there to be a HIPAA violation – for example, the failure to respond to a patient access request within 30 days is a HIPAA violation, but not a HIPAA breach.
Why must staff be trained on reporting HIPAA breaches?
Staff must be trained on reporting HIPAA breaches and other violations to their supervisors, managers, or the Privacy Officer. It is not necessary for staff to know the mechanics of the HIPAA breach notification requirements beyond that point, but they must be aware of the consequences of delaying a report in terms of the impact it will have on patients affected by the breach, the consequences for their employer if notifications are delayed longer than necessary, and on their own jobs if a breach comes to light weeks after it has happened.
What is the difference between secured PHI and unsecured PHI?
The difference between secured PHI and unsecured PHI is that secured PHI is defined as Protected Health Information that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technologies or methodologies specified in §13402 of the HITECH Act. HIPAA is technology neutral, but the implementation specifications relating to Access Controls and Transmission Security state encryption is required unless an equivalent protection is implemented, or the use of encryption is unreasonable and inappropriate in the circumstances.
What is an example of a “good faith belief” that PHI has not been retained?
An example of a good faith belief that PHI has not been retained is if, for example, a healthcare professional shows an X-ray image to a person not authorized to view the image. If the healthcare professional realizes the mistake and withdraws the X-ray image before it is likely any information relating to the image has been absorbed, it is highly likely that PHI has not been retained.
In this example, a Covered Entity can reasonably accept – in good faith – there has been no disclosure of unsecured PHI. However, it is important the healthcare professional still reports the unauthorized disclosure to a higher authority, and that the report – along with the good faith determination – is documented.
Why do individuals have to give authorization before they receive email notifications?
Individuals have to give authorization before they receive email notifications because email is not a secure communication channel. Covered Entities must obtain the authorization of an individual before sending an email that contains PHI; and, because breach notifications inform individuals what PHI was accessed, Covered Entities can only communicate a breach by email if they have a prior authorization.
When must a HIPAA breach be reported?
A HIPAA breach must be reported whenever unsecured PHI or ePHI has been used or disclosed impermissibly unless there is a low probability that data has been comprised based on the risk assessment mentioned above. Also mentioned above was the timetable for reporting HIPAA breaches – within sixty days if the breach involves 500 or more records, and by the end of the calendar year if the breach involves fewer than 500 records.
What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule is a regulation introduced via the HITECH Act in 2009 that requires covered entities to notify affected individuals, HHS´ Office for Civil Rights, and – in some cases – the media when a breach of unsecured PHI occurs. Business associates are also covered by the Rule, and have to notify the covered entity of any security incidents.
Who does the Breach Notification Rule apply to?
The Breach Notification Rule introduced in the HITECH Act applies to HIPAA covered entities and business associates, and vendors of Personal Health Records (PNRs) and third party service suppliers with access to PNR identifiable health information. There is a difference in the breach notification rule requirements depending on the type of business:
- HIPAA covered entities are required to notify affected individuals, HHS´ Office for Civil Rights, and – where applicable – the media.
- Business associates are required to notify covered entities only unless a clause to the contrary appears in the Business Associate Agreement.
- Vendors of PNRs and third party service providers are required to report breaches of unsecured PNR information to affected individuals and the Federal Trade Commission.
What are the Breach Notification Rule requirements for business associates?
The Breach Notification Rule requirements for business associates are that, other than when stipulated in a Business Associate Agreement, business associates must report breaches of unsecured PHI to the covered entity with whom they have signed an agreement. Once the breach is reported to the covered entity, it is the covered entity´s responsibility to determine whether the breach is notifiable and, if so, to fulfil the HIPAA breach notification requirements.
When did the HIPAA breach notice requirements come into force?
The HIPAA breach notice requirements came into force on September 23, 2009. It should have been a week earlier, but the Department for Health and Human Services missed the deadline for publishing the Interim Breach Notification Final Rule in the Federal Register (it should have been within 180 days of the passage of HITECH) and still had to allow 30 days before the Rule took effect.
What are the necessary steps to notify a patient of a HIPAA violation?
The necessary steps to notify a patient of a HIPAA violation only apply if a HIPAA violation results in a breach of unsecured PHI. In such circumstances, each patient affected by the breach must be informed within sixty days of what happened, what information was disclosed, what the covered entity is doing to mitigate the consequences, and what actions the individual can take to reduce the potential for harm.
When must you report a healthcare disclosure incident?
You must report a healthcare disclosure incident on every occasion unless the disclosure qualifies as an incidental disclosure under §164.502 of the Privacy Rule. Even when you believe the disclosure may be incidental, it is still best to check whether the incident needs reporting with a person in authority (i.e., a HIPAA Privacy Officer) and document the report in case a complaint is later made by the individual whose healthcare information was disclosed.
Are there HIPAA violation reporting requirements?
In most cases there are HIPAA violation reporting requirements; but, unlike the HIPAA breach reporting requirements, each covered entity or business associate can determine what violations should be reported and who they should be reported to. Naturally, if a HIPAA violation results in a data breach, it is necessary for a covered entity to notify the affected individual(s) and HHS´ Office for Civil Rights, and for a business associate to notify the covered entity.
When must an individual be notified of a breach of their PHI?
An individual must be notified of a breach of their PHI anytime their individually identifiable health information is disclosed impermissibly. This not only means when a database is hacked or when an organization experiences a ransomware attack, but also if the individual´s PHI is disclosed verbally or used for a purpose not permitted by the Privacy Rule without authorization from the individual.
What must a HIPAA breach notification consist of?
What a HIPAA breach notification consists of varies according to who is doing the notifying and who the notification is to. For example, a HIPAA breach notification from a business associate to a covered entity only needs to consist of the name(s) of the individual(s) whose PHI has been breached – although it may be necessary to later supply further information for the covered entity to comply with their breach notification requirements.
A HIPAA breach notification from a covered entity to an individual has to notify the individual what happened, when it happened, how it happened, and what the covered entity is doing to mitigate the consequences. The notification has to advise the individual the types of PHI that were disclosed impermissibly, and explain how – depending on the types – they can protect themselves from fraud, loss, or theft. The notification should also include a toll-free number for further information.
When notifying HHS´ Office for Civil Rights of a data breach, the information required is event-specific inasmuch as the agency´s reporting portal consists of various paths depending on the nature of the breach, how it occurred, and what measures were in place to prevent the breach at the time – or have been implemented since. This PDFpublished by HHS´ Office for Civil Rights provides examples of the types of questions asked on the Breach Notification portal.
What happens after you have made a HIPAA data breach notification to HHS?
After you have made a HIPAA data breach notification to HHS, the notification is reviewed and the individual who reported the breach is contacted if further information is required – such as proof that HIPAA training was provided or that security solutions were implemented prior to the breach. If there is evidence to suggest the data breach is attributable to a HIPAA violation, HHS´ Office for Civil Rights may choose to conduct a compliance investigation on the covered entity.
If the investigation confirms the covered entity is not complying with the Privacy, Security, and/or Breach Notification Rules, the agency has the authority to offer technical assistance, impose a corrective action plan, or issue a civil monetary penalty. Alternatively, if PHI has been disclosed “knowingly and wrongfully”, the case could be referred to the Department of Justice, who will review the evidence before determining whether to pursue a criminal conviction.
In the event that ePHI is compromised, what are we required to do to comply with HIPAA law?
In the event that ePHI is compromised, what you are required to do to comply with HIPAA law depends on whether or not ePHI was secured, whether the incident resulted in an impermissible disclosure of ePHI, and whether you are a covered entity or business associate.
In the event that ePHI was secured with encryption so it is unusable, unreadable, or indecipherable to an unauthorized person, it is not necessary to do anything to comply with HIPAA law – unless the incident involves a ransomware attack, in which case compliance with the HIPAA breach reporting requirements are a “fact-specific determination” (see Item 6 on the HHS Ransomware Fact Sheet).
It may also not be necessary to do anything to comply with HIPAA law if ePHI was compromised but the event in which it was compromised did not result in an impermissible disclosure. For example, if a patient’s medical record was changed without authorization, but the issue was identified by an audit control and reversed, the event is not notifiable under the Breach Notification Rule.
If the compromise of ePHI has resulted in an impermissible disclosure and you are a business associate of a covered entity, you are required to report the incident to the covered entity at the earliest possible opportunity. The covered entity then takes over the responsibility for complying with HIPAA law unless there are clauses to the contrary in the Business Associate Agreement.
As a covered entity, you are required to notify a breach of unsecured ePHI to the affected individual(s) and HHS´ Office for Civil Rights. The processes for doing so appear in sections 45 CFR §164.400 to 45 CFR §164.414 of the Administrative Simplification Regulations and you have 60 days to complete the processes unless a state law stipulates a shorter time frame.
What is the difference between a HIPAA security breach and a HIPAA security incident?
The difference between a HIPAA security breach and a HIPAA security incident is that a breach of unsecured PHI is a reportable event whereas an incident does not necessary imply a breach has occurred – the Security Rule defining a security incident as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
Therefore, an unauthorized attempt to access an information is not a HIPAA security breach if it is not successful. Similarly, a successful attempt to hack an information system is not a HIPAA security breach if PHI is not accessed, used, disclosed, modified, or destroyed. However, if these incidents occur on a business associate´s information system, they should be reported to the covered entity under the terms of a HIPAA-compliant Business Associate Agreement.
Who do you report a HIPAA violation to?
Who you report a HIPAA violation to – as opposed to a HIPAA breach – depends on your employer´s HIPAA policies. In most organizations, HIPAA violations should be reported to a manager or to the organization’s Privacy Officer; however, the correct procedures should have been explained to you during your initial HIPAA training.
What is a HIPAA violation?
A HIPAA violation is any failure to comply with the standards and implementation specifications in 45 CFR Parts 160, 162, and 164 by an organization that qualifies as a covered entity (generally health plans, health care clearinghouses, and healthcare providers) or that is a “business associate” of a covered entity with who PHI is shared.
The “Parts” (often referred to as the “Administrative Simplification Regulations”) include the General HIPAA Provisions, the Transactions and Code Set Rules, the Privacy Rule, the Security Rule, and the Breach Notification Rule. The standards in the Parts equally apply to members of a covered entity´s or business associate´s workforce and are enforced by workplace HIPAA policies.
What is an appropriate HIPAA breach response?
An appropriate HIPAA breach response depends on the nature of the breach and its cause. For example, the infographic above provides a 9-point HIPAA breach response which is appropriate for ongoing cyberattacks and can be adopted for other types of security incident. However, if a breach of unsecured PHI is attributable to a member of the workforce posting an image of a patient on social media, an appropriate breach response would be to follow the HIPAA breach notification requirements and sanction the member of the workforce for an impermissible disclosure of PHI.
