7 breach notification processes that must be followed
The breach notification rule requiring HIPAA-covered entities and their business associates to provide public notification following a breach of unsecured protected health information has been around since 2009. But with the industry besieged with ransomware and warnings that it will increasingly get worse during 2018, it’s time for a refresher course on complying with the rule’s provisions, courtesy of guidance from the Department of Health and Human Services, which enforces the rule.
Defining a breach
A breach is an impermissible use or disclosure under the Privacy Rule; it compromises the security or privacy of protected health information. A breach is assumed to be a breach unless the covered entity or business associate can show a low probability that PHI has been compromised, based on findings following a risk assessment.
Conducting a risk assessment
The risk assessment must cover the nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated.
There are three exceptions to the definition of a breach. The first applies to the unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate if the activity was done in good faith and within the scope of authority. The second exception applies to inadvertent disclosure of PHI by a person with authorized access. The third exception applies if the covered entity or business associate has a legitimate belief that the unauthorized person who whom the impermissible disclosure was made would not have been able to retain the information.
Reporting a breach
Covered entities and business associates must issue breach notifications if the breach involved unsecured PHI. This is information that has not been rendered unusable, unreadable or indecipherable to unauthorized persons. Encryption and destruction are specified as the technologies and methodologies for rendering PHI unusable, unreadable or indecipherable to unauthorized individuals.
Covered entities must issue a notice to affected individuals no long than 60 days following discovery of a breach. The reality is that few make that date as attacks have become far more sophisticated and the breaches are more complicated. Still, that is the bar to seek. Notices to HHS also have a 60-day limit for breaches affecting 500 or more individuals. Breaches affecting fewer than 500 individuals are reported to HHS on an annual basis, no longer than 60 days after the end of the calendar year. Business associates must provide notice of a breach to a covered entity no later than 60 days from discovery of the breach. The business associate should give the covered entity identification of each affected individual and additional information that could support patient notification.
Covered entities and business associates have the burden of demonstrating that required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.
Covering the bases
Covered entities must have written policies and procedures for breach notification in place, train employees on the policies and procedures and apply appropriate sanctions against employees not complying.