You may remember that a few weeks ago, we talked about HIPAA’s Privacy, Security and Breach Notification Rules. We also held a webinar last week that provided an overview of HIPAA and its Rules. Hopefully you came away from both with an understanding of how these laws protect both patients and healthcare organizations. They act as a framework for guarding patient privacy, keeping data accessible and preventing breaches – and, of course, letting the right parties know when a breach has occurred.
That last, of course, is where the Breach Notification Rule comes into play, and it drove a number of questions during our webinar. Let’s take a closer look at what the rule calls for and when.
The laws of notification
No one wants a breach to occur, but they are a fact of a life. Be aware that a breach in this case doesn’t have to be a widespread hacking of the organization’s database; it could be something like a lost laptop, or a small medical practice being robbed, with paper files missing.
When a breach does happen, the natural reaction is one of panic and uncertainty. That’s where HIPAA’s Breach Notification Rule provides guidance, by mapping out a plan of action. The organization must notify the impacted individuals, the Department of Health and Human Services (HHS) and occasionally the media. Let’s review the specifics:
- Time: You must take action “without unreasonable delay” and no later than 60 days following the discovery of a breach.
- Procedure: You must notify impacted parties through first-class mail or electronic mail, and you must include a working toll-free number to learn more about the breach for at least 90 days. The covered entity is responsible for ensuring notification, even if the business associate (BA) is the source of the breach; however, the notification can be delegated to the BA, if that makes the most sense.
- Information: The notification must describe how the breach happened, what information was compromised, the investigation into the cause of the breach, and any steps being taken to prevent future problems. Patients must also be told the steps to take to protect themselves from any repercussions such as identity theft.
- Media: If a breach affects more than 500 residents of a state or jurisdiction, you’re required to provide notice to prominent media outlets serving that area. A press release can suffice for this, although a large-scale breach that’s likely to stir up intense media scrutiny will probably demand a larger communications plan. Again, this needs to happen without unreasonable delay and in no case later than 60 days following the discovery of a breach.
- Health and Human Services Secretary: You must submit an electronic report at the HHS site. If it’s a breach affecting 500 or more people, you’ll need to notify within the same 60 day timeframe; if it’s a smaller breach, an annual report is suitable. Be aware that all breaches affecting 500 or more people are reported on a special website known as HHS’s “Wall of Shame.” It will detail where and why the breach occurred, how many people were impacted, and what corrective actions or fines were issued as a result.
Remember, a breach can be something you consider as small as a lost tablet or laptop. So the odds are that at some point you’ll need to better understand how to handle the notification process. To limit your exposure to a breach, make sure your security policies – including physical security – are in top notch condition and that your compliance initiatives support them.