February 12, 2021
Don’t shoot the messenger, but HIPAA breaches continue to skyrocket over the last few years – making your practice increasingly likely to experience a breach related to cyberthreats, human error, or other means. While we wish we had better news, we CAN at least help make sure that if a breach were to occur you’ve got the low down on one of the less common, but very relevant, aspects of HIPAA – the Breach Notification Rule.
Any type of breach of patient data (verbal, technical or paper-based) counts as a breach of information. The OCR has some specific requirements for you to follow in the event of a breach – namely, what types of notifications are required and who needs to be alerted if the worst should occur. So while we’re not wishing a breach on anyone, let’s walk through the key aspects of what to do next – just in case – when it comes to responding to a breach.
Step One: Assessing a Breach
First, whether your breach is suspected or pretty much a done deal, you need to assess the breach and determine the who, what, when, where and how of the incident. This is essential to finding out whose data is affected as well as what the likely ramifications are of the breach, and will inform how you handle breach notifications.
Step Two: Notifying the Right Parties
Once you’ve finished assessing a breach, you’ve only explored the tip of the iceberg. You know you have a major issue on your hands – so now what? Your first step is to get the right people – affected patients – informed as well as notify the Department of Health and Human Services (HHS) in all cases where a malicious or unknown breach has occurred. You may also have some state-specific parties that need to be notified as well, though this varies by your specific practice location.
Step Three: Providing the RIGHT Information
There are quite a few specifics that must be included in your apology letter, and just to make things even more complicated, states have different requirements here as well. A few of the basic elements include a brief description of what happened, the suspected or confirmed dates of the incident, and a description of the type(s) of protected health information (PHI) involved, any steps individuals should take to protect themselves from any potential harm, and a description of what the covered entity involved is doing to investigate the breach, mitigate harm to individuals, and to protect against any further breaches. You’ll likely also need to include contact information for affected parties to reach out to for additional questions.
Step Four: Providing TIMELY Information
We’re sure it’s no surprise that your practice doesn’t have carte blanche control over when you provide breach notifications. The OCR actually lays out some pretty specific timelines here, including that:
- Breaches affecting 500+ patients require notification to affected individuals as well as the HHS within at minimum 60 days. These 60 days are only at the federal level, and states usually require shorter notification timeframes (particularly for patients) as well as specific timeframes to notify OTHER relevant parties. New York, for example, requires the NY Attorney General to be notified within 5 days of notifying HHS of a breach.
- Breaches affecting fewer than 500 patients, however, can be reported within 60 calendar days from the close of the year in which the breach occurred.
Either way, reports should always be done through the HHS breach portal, and we highly recommend submitting those breaches as soon as possible to proactively correct and mitigate any threats (and any resulting HIPAA fines you might be up for as well).
Additional Steps
While data breaches are usually out of anyone’s control, the way your practice actually handles the incident is the important part – and will help you avoid a resulting HIPAA fine. This is probably the never several steps in our book – not only handling the breach notification rule requirements but also mitigating the threat(s) and preventing future violations.
There are likely other specific requirements you need to meet as well (by state again…seriously, don’t shoot the messenger!) and having a complete HIPAA program, including breach notification policies and procedures, will help you get the right information for your specific scenario and check all requirements off your list.