What is a Breach and what am I supposed to do if one occurs?

According to the U.S. Department of Health and Human Services (HHS), the Health Information Technology for Economic and Clinical Health (HITECH) Act requires HIPAA covered entities to provide notification to individuals when there has been a breach of their unsecured protected health information.

What is a breach?  The unauthorized acquisition, access, use, or disclosure of unsecured protected health information that compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

What is unsecured PHI?  Protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology (encryption) or methodology (destruction) specified by the Secretary.

The HIPAA Omnibus Rule encourages covered entities to encrypt limited data sets and other protected health information pursuant to the Guidance in order to take advantage of the safe harbor provision of the breach notification rule.  If data is protected (secured) by encryption pursuant to the Guidance, then no breach notification is required following an impermissible use or disclosure of the information.

View the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.

Breach Notification Requirements:

1.  Notify affected individuals in writing within 60 days of discovering their health information has been breached.

2.  Notify the Secretary of HHS on an annual basis (no later than 60 days from the end of the calendar year in which the breach was discovered) if the breach affects fewer than 500 individuals.

3.  Notify the Secretary of HHS and the media within 60 days of discovery of the breach, if the breach affects more than 500 individuals of a state or jurisdiction.

4.  If a business associate, notify the covered entity within 60 days of discovery of a breach.

Good to Know

When is it a Breach?  Any unauthorized use or disclosure of protected health information is considered to be a breach unless a Risk Assessment performed by the covered entity or business associate determines that there is a low probability that the protected health information has been compromised.  If the probability is low, the covered entity is not required to make breach notifications.  The Risk Assessment must consider at least the following factors:

1.  The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.

2.  The unauthorized person who used the protected health information or to whom the disclosure was made

3.  Whether the protected health information was actually acquired or viewed.

4.  The extent to which the risk to the protected health information has been mitigated.

Breach Notification.  Ultimately it remains the Covered Entity’s responsibility to ensure affected individuals are notified of a breach.  However, they are free to delegate this responsibility to a business associate.  Additionally, although a Risk Assessment is required in order to demonstrate that breach notification is not necessary, it is not required if notification is provided.  It is permissible for Covered Entities and Business Associates to provide notification for each breach of unsecured protected health information without performing a Risk Assessment.

The HIPAA Omnibus Rule requires that the following elements be included when providing notification of a breach to an individual:

1.  Brief description of what happened.  Include the date of the breach and date of discovery of the breach, if known.

2.  Description of the types of unsecured protected health information that were involved in the breach.  Examples include full name, social security number, date of birth, home address, account number, diagnosis, and disability code.

3.  Any steps individuals should take to protect themselves from potential harm resulting from the breach.

4.  Brief description of what the covered entity is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches.

5.  Contact procedures for individuals to ask questions or learn additional information, which shall include a toll- free telephone number, an email address, Web site, or postal address.

Burden of Proof.  Covered entities or business associates, when applicable, are required to demonstrate that they have provided proper notification in the event of a breach or that a specific use or disclosure of unsecured protected health information cannot be regarded as a breach.  Therefore, covered entities are required to maintain documentation to meet this burden of proof.

What happens if I do not comply?  The HIPAA Omnibus Rule is effective as of March 26, 2013. Covered entities and business associates have up to 180 days after the effective date to come into compliance with any modifications to provisions in the Interim Final Rule.  If covered entities, and now business associates as well, have not implemented policies and procedures to meet HIPAA requirements and a breach occurs then fines may be issued by HHS.  Civil Money Penalties increase based on the level of noncompliance and can be as much as $1.5 million for all violations of the same provision in a calendar year.

References

Health Information Technology for Economic and Clinical Health Act (HITECH) relevant sections: 

45 CFR Parts 160 and 164 – “HIPAA Omnibus Rule”, hhs.gov, published February 25, 2013, http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

U.S. Department of Health and Human Services Resources:

“Breach Notification Rule,” hhs.gov, accessed April 10, 2013, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html.