Breach Reporting Under HIPAA

Under the HIPAA Rules if a covered entity discovers a breach of unsecured protected health information (PHI) it must notify the Secretary at the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The Secretary has made a web portal available for submission of these notifications.  There are guidelines on when and how to report a breach which depends on the  characteristics of the breach which may help you as you consider your own Breach Reporting.

Definition of a Breach

A breach is generally, an impermissible use or disclosure under the HIPAA privacy regulations that compromises the security or privacy of the PHI.  An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to PHI has been mitigated.

Exceptons to the Definition of a Breach

There are three exceptions to the definition of breach:

  1. An unintentional acquisition, access, or use of PHI by a workforce member acting under the authority of a covered entity or business associate if such acquisition, access or use was made in good faith and within the scope of authority. The information cannot be further used or disclosed in a manner not permitted by the privacy rule.
  2. The inadvertent disclosure of PHI from a person authorized to access PHI at covered entity or business associate to another person authorized to access PHI at covered entity or business associate of covered entity, or organized health care arrangement in which the covered entity participates. The information cannot be further used or disclosed in a manner not permitted by the privacy rule.

If the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

Definition of Unsecured PHI

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance.

Breach Analysis

Breach Analysis

The covered entity must perform a Breach Analysis and determine if a breach occurred which requires notification to the individual and OCR.

Notification Requirements

Individual Notice

The involved covered entity or business associate must notify affected individuals following the discovery of a breach of unsecured PHI.  It must provide affected individuals notice in written form by first-class mail, or alternatively, by email if the affected individual has agreed to receive such notices electronically.  If the entity has insufficient or out-of-date contact information for 10 or more individuals, it must provide substitute notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside.  If the involved entity has insufficient or out-of-date contact information for fewer than 10 individuals, It may provide substitute notice by an alternative form of written, telephone, or other means.

Timing

Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, a description of what the affected entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the entity.  If a substitute notice is provided by web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the entity to determine if their protected health information was involved in the breach.

Media Notice

In event of a breach affecting more than 500 residents of a state or jurisdiction in addition to notifying the affected individuals, it is required to provide notice to prominent media outlets serving the state or jurisdiction.  The entity may provide this notification in the form of a press release to appropriate media outlets serving the affected area.  The media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

Notice to the Secretary HHS/OCR

The breach notification by the covered entity will differ based on whether the breach affected 500 or more individuals or fewer than 500 individuals.  There may be times when it is unclear how many are involved.  In that situation the covered entity should provide an estimate only and submit updates later as they become available.

At any time if a covered entity becomes aware of additional material that supplements the report it may be submitted using the portal offered by HHS and the same tracking number.

Breaches Affecting 500 or More Individuals

If a covered entity determines that a breach affects more than 500 or more individuals it must notify the Secretary of HHS without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.  The covered entity must submit the notice using the available portal and completing all of the required fields of the breach notification form.

Report 500 or more

Breaches Affecting Fewer than 500 Individuals

In the event a breach of unsecured protected health information affects less than 500 individuals the covered entity is required to notify the Secretary of HHS within 60 days of the end of the calendar year in which the breach was discovered.  A covered entity has the option to report breaches affecting less than 500 individuals at the time they are discovered and not wait until the end of the calendar year.  A covered entity may report all of its breaches at once but there must be a separate notice for each breach.  These reports must be submitted electronically using the HHA portal.

Report fewer than 500

HIPAA Associates & Breach Reporting

HIPAA Associates works with clients on presumed breaches.  We will assist you in performing a breach analysis to determine if there is a breach of unsecured PHI. For incidents that are reportable breaches there are steps and deadlines to follow for breach reporting to the individual and to the Office for Civil Rights.

It is important to follow all necessary steps to report a breach successfully. Breaches vary depending on the facts and circumstances. Normally we draft the mandatory notice to the individual and the reports to the OCR on a case-by-case basis as there may be different reporting deadlines. We have the experience to know what information to include in a breach notification letter and in the report to the OCR. Additionally, we will guide you through the additional steps that must take place for large breaches that affect 500 or more individuals. HIPAA Associates manages breach analysis, notification to the individual(s) affected, mitigation of damages, retraining and reporting to the Office for Civil Rights.

We will assist you throughout the process from start to finish on all aspects including mitigation of damages, creating a corrective action plan, drafting notice letters, and reporting to the Office for Civil Rights.

Get help with your Breach Report

Get help from the experts in the field. We have assisted organizations with HIPAA Breach Reporting for over 18 years. We can help you and your organization. Contact us today.

Breach Reporting Assistance