HIPAA Breach Notification Rule

642 healthcare data breaches of 500 or more records were reported in 2020, according to HIPAA Journal. That equates to 1.76 data breaches reported each day in 2020.

HIPAA

HIPAA’s Breach Notification Rule requires covered entities and their business associates to report any breach impacting more than 500 patients within 60 days of discovery. 

A breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”  

“An impermissible use or disclosure of protected health information (PHI) is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment,” according to the Department of Health and Human Services.

Protected Health Information (PHI) 

Protected Health Information, or PHI, includes any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed while providing a health care service, such as a diagnosis or treatment.

In other words, PHI is personally identifiable information in medical records, including conversations between doctors and nurses about treatment. PHI also includes billing information and any patient-identifiable information in a health insurance company's computer system.

What Is the HIPAA Law and Privacy Rule?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health insurance providers, doctors, hospitals, and other health care providers.

Developed by the Department of Health and Human Services, the HIPAA Law and Privacy Rule set the standard for protecting sensitive patient data by creating the standards for the electronic exchange, privacy, and security of patient medical information by those in the health care industry.

The 4 Rules of HIPAA

Under the HIPAA law, there are four specific rules that must be followed by health care providers and other health companies:

• HIPAA Privacy Rule: Sets national standards for when protected health information PHI may be used or disclosed.
  
• HIPAA Security Rule: Specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronic protected health information.
  
• HIPAA Enforcement Rule: Indicates procedures for enforcement and procedures for hearings and penalties.
  
• HIPAA Breach Notification Rule: Requires health care providers to notify individuals and the US Department of Health and Human Services (HHS) when there has been a breach of protected health information.

HIPAA Privacy Rule

The Privacy Rule standards address the use and disclosure of individuals’ protected health information (PHI) by entities subject to the Privacy Rule. Covered entities include healthcare providers, health insurance carriers, and business associates.

A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide high-quality health care. The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. 

HIPAA Security Rule

The Security Rule protects a subset of all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. The Security Rule does not apply to PHI transmitted orally or in writing.

To comply with the HIPAA Security Rule, all covered entities must do the following:

• Ensure the confidentiality, integrity, and availability of all electronically protected health information.
• Detect and safeguard against anticipated threats to the security of the information.
• Verify compliance by their workforce.

HIPAA Breach Notification

Following a cybersecurity breach of protected health information, covered entities must provide notification of the breach to the affected individuals, the Secretary, and, in certain circumstances, the media.

Under HIPAA, providers are required to give notice about cybersecurity breaches that impact 500 or more patients within 60 days of discovering an incident. The notice must be provided to the US Department of Health and Human Services electronically via the HHS website.

Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually.

Non-compliance with HIPAA can result in hefty fines ranging from anywhere between $100 to $50,000 per violation or per PHI record affected, with a maximum penalty of up to $1.5 million per year.

What Should the HIPAA Notification Include?

The HIPAA Breach Notification Requirement calls for individual notice in written form by first-class mail, or by e-mail if the affected individual has agreed to receive such notices electronically. It should include the following information:

• Description of the breach.
• A description of the type of information that was breached.
• Precautionary measures the victims should take to protect themselves from potential harm.
• A description of corrective measures and investigative action taken on an account of a breach.
• Contact information for the covered entity.

If the entity has incomplete contact details of 10 or more victims, they are required to post the notification on their website for 90 days and set up a toll-free number for victims to call and check if their information was involved in the breach.

HIPAA Requirements for Burden of Proof

According to the US Department of Health and Human Services:

“Covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. Thus, with respect to an impermissible use or disclosure, a covered entity (or business associate) should maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required: (1) its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure; or (2) the application of any other exceptions to the definition of “breach.”

Additionally, HHS states:

“Covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.”

This resource is provided for informational purposes. Specific legal questions regarding this information should be addressed by one's own counsel.

Teknologize is a SOC 2 certified, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:

• Tri-Cities, Washington 509.396.6640
• Yakima, Washington 509.396.6640
• Bend, Oregon 541.848.6072

Questions about your IT or Cybersecurity? Give us a call today!