Breach Notification…Who, How, When?

February is typically a very busy month for health care compliance professionals because the majority of breaches are required to be reported to the Department of Health and Human Services (HHS) within the first 60 days of the calendar year following the breach. However, the type of breach determines the applicable deadline so it is very important to know what needs to be reported to whom and when.

Entities regulated by HIPAA, including healthcare providers, health plans and business associates, must identify breaches in an adequate and timely manner and respond to breaches accordingly. This response includes identifying the occurrence, thoroughly investigating the incident, completing a thorough Breach Assessment of the incident and timely reporting conclusions to the appropriate parties.

A “breach” is an impermissible use or disclosure that compromises the privacy or security of protected health information. When a breach occurs in a health care setting, the entity may be required to provide notice of the breach to affected parties, including the patient or client, HHS and in some instances media outlets.

Standard

Health care entities are required to assess all breaches by considering the likelihood that patient or client protected health information was compromised. This is different than the previous harm standard, which required a determination of whether the breach caused a significant risk of financial, reputational or other harm. Under the compromise standard, consideration is given to the identity of the individual to whom the information was wrongfully provided and the possibility of that individual being able to retain and/or utilize the information.

Entities rely on their Breach Assessment tool to assist them with developing conclusions about the status of a breach. Unless an entity can substantiate and document that the breach was low-risk, it must be reported to appropriate parties as a breach. Pursuant to federal regulation, specific elements must be considered before an entity can determine a breach to be low-risk. Those elements include:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.[1]

These elements, in addition to other documented analysis, must be included on the entity’s Breach Assessment. This document should be customized to the entity and identify criteria that would lead to an objective determination about the nature of the breach.

The adequacy of an entity’s Breach Assessment tool is vital to that entity reaching an appropriate conclusion. The Breach Assessment should document the type of breach and the source of the breach. It should reflect whether it was an oral breach or whether documentation was shared. It should consider whether the individual with whom the information was shared is also a workforce member of a HIPAA-covered entity or whether that individual had any duty to keep the information confidential. After considering these questions, in addition to other factors, the entity should be able to make a reasonable determination about whether the protected health information was compromised.

Content of Notice

If an entity determines that a breach occurred and that breach notification is necessary, they must provide notice of the breach, which at a minimum includes the following:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
  • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
  • Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address.[2]

Timeliness Requirements

Entities must adhere to specific deadlines for breach reporting. The timeline is considered to have started on the date that the entity “knew or should have known of the breach.” Meaning that the entity either had direct knowledge of the breach or in the exercise of due diligence the entity should have been aware that the breach took place. This should have known element is important because it holds entities responsible for breaches based on an objective standard which discourages entities from pretending to be unaware of breach incidents.

Notification deadlines are directly related to the size of the breach. Breaches fewer than 500 individuals require notification to the patient within 60 days of discovery of the breach, also known as Individual Notice. Additionally, for breaches fewer than 500, notification must be provided to HHS within the first 60 days of the following calendar year.

Breaches involving 500 individuals or greater require entities to meet the Individual Notice standard described above, but it also requires simultaneous notice to HHS and media notice. Media notice is required to take place both in the place where the entity does business and in the location where the individuals affected by the breach reside. For example, a practice is located in Montgomery, Ala., and they provide services to patients in Montgomery and in Huntsville, Ala. The entity will be responsible for contacting media outlets in both Montgomery and Huntsville to ensure that consumers are informed of the breach. Additionally, if the entity has a website the notice must also be placed on the entity website.

Wall of Shame (for breaches of 500 individuals or greater)

The HHS Office of Civil Rights (OCR) notifies the public of large breaches in an effort to strengthen consumer trust and transparency. These breaches can be found on the HHS website and are known in the health care industry as the “Wall of Shame.” This Wall of Shame identifies entities that are currently under investigation, as well as entities who have already settled their cases with HHS or otherwise resolved their cases through administrative proceedings. It documents the name of the entity, the exact number of people involved in the incident and the type of breach. While the Wall of Shame generally reports incidents that occurred within the last two years, there is also an archive section that allows consumers to review cases occurring before that cut off period. You can view the HHS Wall of Shame by utilizing the following link: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Understanding the Breach Notification Rule can be tricky. This area of the regulations has many aspects that require professionals to perform specific analysis as they navigate each incident. Your entity compliance professional should be trained on the requirements and ensure that your policies and procedures are updated regularly. Your entity can report breaches to HHS by utilizing the following link: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.

Should your entity have questions regarding the Breach Notification Rule, they should contact a healthcare compliance professional for guidance.

[1] 45 CFR 164.402(a)(2)

[2] 45 CFR 164.404 (c)

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. The Dunson Group, LLC, is an official partner with the Medical Association.