Understanding The HIPAA Breach Notification Rule

HIPAA requires covered entities and business associates to secure protected health information (PHI). Failing to do so can result in steep fines and penalties. 

Some PHI breaches, however, are out of the organization’s control. Determined hackers can expose PHI, and employees can make mistakes — they’re only human, Despite training, rigorous security protocols, and constant monitoring, data breaches can happen. 

When a health organization experiences a breach, the Department of Health and Human Services is prescriptive about the steps the organization must take next. The HIPAA Breach Notification Rule dictates the steps HIPAA-covered entities and business associates should take after a breach. 

What is a HIPAA data breach?

A HIPAA breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”

Anytime PHI is accessed or used by an unauthorized person, it’s considered a breach. The organization can only claim a breach hasn’t happened based on a risk assessment of the following factors: 

1. What PHI was exposed? For instance, is it impossible or highly difficult to connect the PHI exposed to the person or persons?
2. Who accessed the PHI? For instance, was it a hacker?
3. Was the PHI actually viewed, or was it simply left exposed?
4. To what extent has the health organization already mitigated the risk to the PHI?

“Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information,” wrote the Department of Health and Human Services. 

This risk assessment can be completed by covered entities and business associates to determine the probability that PHI has been compromised. It’s to their discretion to decide if a breach has taken place and to follow the process set forth in the Breach Notification Rule. 

HIPAA breach examples

Breaches can happen in a number of different ways. Some are by accident; some are the result of a bad actor. 

Mistakes can lead to compromised PHI easily. Sending an email with patient names, diagnoses, and payment data to the wrong email address could be considered a HIPAA breach. If a laptop computer containing PHI is left unlocked and is accessed by an unauthorized individual, that could also be a breach.

[Read more: 5 Common Accidental Sources of Data Leaks]  

Malware and ransomware are huge security threats for the healthcare industry. Attacks on smart medical devices are also on the rise. These incidents are often out of the control of the health organization but nevertheless trigger the HIPAA Breach Notification procedure. 

Following the HIPPA Breach Notification Rule

HIPAA-covered entities that have experienced a breach must notify the affected individuals, and in some cases, the Secretary of Health and Human Services “without unreasonable delay” or up to 60 calendar days following the date of discovery. This notification is required even if upon discovery the entity was unsure as to whether PHI had been compromised.

Business associates that discover a breach must notify covered entities if a breach occurs at or by the business associate. The covered entity is then responsible for notifying the patients and parties affected. 

Send individual notices

The covered entity is responsible for notifying the affected individuals via first-class mail or e-mail, if the patient has chosen to receive notices electronically. Likewise, the covered entity must provide a toll-free number active for at least 90 days that individuals can call to learn if they were impacted. 

Include specific information

The HIPAA breach notification must include as much detail as possible about the breach, including: 

• a description of the information involved; 
• Steps individuals should take to protect their identities; 
• What the covered entity is doing to investigate and mitigate risk;  
• Contact information for the covered entity and/or business associate. 

The HHS notes that it’s important to include the steps that the covered entity or business associate is doing to not only investigate the breach, but also mitigate the harm, and prevent further breaches.

Issue a media notice

For HIPAA breaches impacting more than 500 people, the covered entity must notify the media — specifically, “prominent media outlets serving the State or jurisdiction” in which the covered entity operates. This alert could be in the form of a press release. 

Notify the Secretary

Finally, covered entities must notify the Secretary using the HHS breach report form. For breaches impacting 500+ people, this form must be completed within the 60 day window. If your breach has a smaller impact radius, you can simply send a breach report on an annual basis, no later than 60 days after the end of the calendar in which the breach is discovered. 

Record and save any and all notifications that you make throughout the year, as well as any documentation you have to show that a breach notification was not required. 

Prevent a HIPAA security breach

Ultimately, it’s best to avoid a HIPAA data breach altogether. Tools like Nightfall can help by automatically scanning your SaaS, IaaS, and PaaS platforms for PHI. Our tool allows you to remedy the unauthorized sharing of patient information before it’s accessed by the wrong party. 

Check out some of these guides we’ve designed to help you ensure HIPAA compliance across your remote working tech stack: 

• How to Make Slack HIPAA Compliant in 2022 
• Is Docusign HIPAA Compliant? 
• Is Microsoft Teams HIPAA Compliant? 
• Is Dropbox HIPAA Compliant?
• Is Google Drive HIPAA Compliant?
• Is Zendesk HIPAA Compliant?
• Is Atlassian Cloud HIPAA Compliant?

Learn how Nightfall can help achieve HIPAA compliance by setting up a demo at the link below.