The risk of personal identifiable information falling into the wrong hands or even finding its way into the public domain is a fear that we constantly live with, in this age of digital records and internet. We saw the reality of this fear when personally identifiable information of about 80 million individuals was potentially exposed by the data breach at Anthem. It is precisely for situations such as this that the HIPAA data breach notification rule has been formulated.
HIPAA breach notification rule
As per the HIPAA breach notification rule, covered entities and their business associates are required to inform / notify the patients, the HHS and potentially the media, in case any unsecured protected health information (PHI) is compromised at their end. However, it is important to remember that the HIPAA rule applies only to unsecured PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance. Any sensitive information that has not been protected through the use of password, multi-factor authentication or other such means may be deemed as unsecured PHI.
The notification by the covered entity or business associate can be issued if they believe that the PHI was compromised. However, this belief has to be substantiated with a risk assessment covering the following:
- The extent and nature of the PHI involved.
- Was the PHI disclosed to or used by an unauthorized person or entity.
- Was the PHI actually acquired or viewed by any unauthorized person or entity.
- The extent of risk mitigation
However, according to HHS, breach notifications can also be issued without performing the risk assessment to ensure that the PHI was compromised.
The number of individuals who may be possibly affected by the exposure caused due to the PHI breach dictates the requirements of the HIPAA breach notification. The common factors in all cases, irrespective of the number of individuals affected are:
- All affected individuals need to be notified.
- Notification must be issued within 60 days of the discovery of the breach.
The differences in the notification requirements are as under:
- In case more than 500 individuals are affected the Secretary and the media has to be notified.
- Where less than 500 individuals are affected, the covered entity needs to make an annual report. This report has to be submitted to the Secretary within 60 days after the end of the calendar year in which the breach was discovered.
- In case outdated contact information of at least 10 individuals was compromised, the entity has to post the notice on its website’s home page for 90 days or give the notice to the media in the area where the affected individuals reside.
The notice issued to the individuals must include the following information:
- Brief description of the breach
- Types of information that was compromised due to the breach
- What steps should the affected individuals take to protect themselves
- How is the entity investigating the breach
- What steps is the entity taking to mitigate the harm and prevent similar incidents in the future
- Contact information of the entity
Compliance with HIPAA administrative requirements
Covered entities or their business associates need to have documented proof of all required notification made. In case, the notification was not issued, they need to prove that such notification was not necessary – this could be done by showing that the risk assessment found a low probability of PHI being compromised or by the “the application of any other exceptions to the definition of ‘breach.’”
Healthcare organizations must have written policies and procedures to be followed in the breach notification process along with staff training on these policies and procedures. There should be a contingency plan in place, should a breach occur. Unless an entity develops; implements and documents the appropriate administrative safeguards, they are liable to federal fines due to incorrect data breach notification process.