HIPAA’s rules set standards which healthcare providers and other covered entities (CEs) must follow to reduce the chance of patient data being exposed to unauthorized individuals. However, no system is infallible; even with sophisticated data security measures implemented, it is still possible for unauthorized individuals to access computer systems.
Any incident in which unsecured PHI is accessed, acquired, used, or disclosed by an unauthorized individual is called a breach. HIPAA’s Breach Notification Rule outlines the procedures that HIPAA covered entities (CEs) must follow in the event of a data breach.
It is key that the PHI must be ‘unsecured’ for an incident to qualify as a data breach. If a mobile phone containing encrypted ePHI is lost or stolen, this does not constitute a data breach unless the keys to decrypt the data were also lost or stolen. If ePHI on the device was not encrypted, this is a data breach.
Any suspected data breach must be reported to the organization’s HIPAA Oﬃcer. The HIPAA Oﬃcer must ensure the breach is investigated and must determine whether the security incident constitutes a data breach. That determination should include:
- Who accessed the PHI
- The type and amount of PHI involved
- Whether the PHI viewed, copied, or altered
- Actions taken by the CE to mitigate risk
HIPAA’s Breach Notification Rule stipulates that CEs must notify individuals in the event of a data breach. Business associates (BAs) are required to inform CEs if they discover a breach of PHI provided to them. CEs must send individual breach notifications within 60 days of the breach being discovered.
Breach notification letters must be sent via first class post unless a prior agreement exists in which individuals have agreed to receive communications via email. The letter must include information on:
- The type of data exposed and the likelihood of a patient or plan member being identified from the data
- The person who has accessed the data and to whom they have disclosed information
- The probability of PHI being accessed, viewed or shared
- The extent to which any potential damage has been mitigated
Breach Notifications to the Secretary of the HHS
CEs must notify the Secretary of the Department of Health and Human Services if they discover a breach of PHI. The CE submits the breach notification via a web portal.
If a breach has aﬀected 500 or more individuals, CEs must submit their report ‘without unreasonable delay’ and within 60 days of the breach being discovered. If more than 500 individuals are aﬀected in the same state or jurisdiction, CEs must also provide notice to a prominent media outlet serving the jurisdiction in which the breach victims reside.
If a breach has aﬀected fewer than 500 individuals, CEs must submit their report within 60 days of the end of the calendar year in which the breach was discovered. CEs are also free to submit their breach reports closer to the time of discovery if they prefer.
If CEs have experienced multiple breaches, each breach must have its report.
CEs should maintain records of all of the actions taken following a breach. If OCR investigates the incident, they will check these records to ensure that the CE followed all of the requirements of the Breach Notification Rule in the aftermath of the breach.