A while back, we began a series on de-mystifying the privacy healthcare law juggernaut that is the Health Insurance Portability and Accountability Act ("HIPAA") Data Breach Rule. In the last installment, my colleague Scot Ganow identified the initial assessments that one should take when dealing with a suspected data breach. In this installment, I identify the steps that healthcare organizations and their business partners should take in notifying affected parties about a breach.
At this stage in the process, a ”Covered Entity” (e.g. healthcare provider, health plan, healthcare clearinghouse) or ”Business Associate” (business that collects, uses, or shared Protected Health Information (“PHI”) on behalf of a Covered Entity) has conducted a risk assessment and determined that a breach has indeed occurred. Again, as we discussed in Part 1, it is important to remember that not all security incidents qualify as “breaches” under HIPAA. Following a breach of unsecured PHI, Covered Entities must provide notification of the breach to affected individuals, the Secretary of Health and Human Services (“Secretary”), and, in certain circumstances, to the media of a particular jurisdiction.
The first type of notice is individual notice. Covered Entities must notify affected individuals after the discovery of a breach. Covered Entities must provide this individual notice in written form by first-class mail. E-mail notices are permissible, however, if the affected individual has previously agreed to receive such notices electronically.
Insufficient Contact Information: In the event that a Covered Entity has insufficient contact information (or the contact information is out-of-date) for 10 or more affected individuals, the Covered Entity must provide substitute individual notice. A Covered Entity may do this one of two ways: (1) post the notice on the home page of its website for at least 90 days, or (2) provide the notice in major print or broadcast media where the affected individuals likely reside. Additionally, the Covered Entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the Covered Entity has insufficient or out-of-date contact information for fewer than 10 individuals, the Covered Entity may provide substitute notice by an alternative form of written notice, by telephone, or "other means."
Timing: Individual notifications must be provided without unreasonable delay. Although the statute does not define "unreasonable delay," it does explicitly state that notice must be given "in no case later than 60 days following the discovery of a breach."
Substance: Notices must include, to the extent possible, the following items:
Business Associates: First and foremost, Business Associates must notify Covered Entities if a breach occurs at or by the Business Associate. Although the Covered Entity is ultimately responsible for ensuring individuals are notified, the Covered Entity has the ability to delegate the responsibility of providing individual notices to the Business Associate. The Health and Human Services website recommends that Covered Entities and Business Associates consider which is in the best position to provide notice to the individual. This could depend on various circumstances such as the functions the Business Associate performs on behalf of the Covered Entity, and which entity has the relationship with the individual.
Notice to the HHS Secretary
Covered entities are responsible for notifying the Secretary of Health and Human Services of any breach of unsecured protected health information. Covered entities are responsible for notifying the HHS Secretary regardless of the size and scope of the breach. However, the size of the breach affects the timing of notification.
Covered Entities are required to notify the Secretary through the Health and Human Services website by filling out and electronically submitting a breach report form. The form can be accessed here.
Notice to the Media
In some situations, Covered Entities may be required to provide notice to the public at large through notice to the media. If a Covered Entity experiences a breach affecting more than 500 residents of a particular STATE or JURISDICTION, then the Covered Entity is required to provide notice to prominent media outlets serving the State or jurisdiction. Note: notice to the media is only required if the state or jurisdiction contains 500 or more residents that are affected. If the breach affects 500 individuals stretched out over multiple jurisdictions without 500 total residing in one jurisdiction, then notice to the media is not required.
When notice to the media is required, Covered Entities will likely provide notification in the form of a press release to appropriate media outlets serving the affected area. The media notification must be provided without unreasonable delay, and in no case later than 60 days following the discovery of a breach. The media notice must include the same information outlined above for individual notice.
Dealing with a HIPAA data breach can be an intimidating process, and it is best practice to consult with an attorney when navigating notice requirements. Furthermore, these are but the minimum requirements organization HAVE meet from the Data Breach Rule. Effective counsel can assist you with determining what more you SHOULD do to provide the best possible protection for your patients and your business.