How to Create a HIPAA Data Breach Notification Policy

Failure to provide timely notification of patient data breaches exposes your lab to significant HIPAA liability risk

Photo portrait of Glenn S. Demby
Glenn S. Demby
Photo portrait of Glenn S. Demby

Glenn S. Demby is an award-winning journalist with a track record of telling business professionals who aren’t lawyers how to comply with the parts of the law that affect their day-to-day operations. He has expertise in numerous aspects of law including employment, labor, health care, tax, payroll, benefits, and education. He won the Specialized Information Publishing Association’s editorial excellence award four years in a row. A graduate of Columbia University School of Law, he practiced as a corporate lawyer on Wall Street prior to his career as a B2B journalist. In addition to overseeing the content of the four G2 Intelligence monthly briefings, he contributes to the daily Laboratory and Pathology Insider.

ViewFull Profile
Learn about ourEditorial Policies.
Published:May 18, 2023
|4 min read
Register for free to listen to this article
Listen with Speechify
0:00
4:00

Clinical labs and other health care providers have become a favorite target for hacking and cyberattacks. While prevention should be your priority, you must also be prepared to respond and minimize the damage when a data breach occurs. Providing timely notification under the HIPAA Breach Notification Rule is a crucial part of breach response. More than one provider has learned this lesson the hard way. The Notification Rule requirements are enforced by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and the price tag for violating these rules is quite high:

Here is an overview of the Notification Rule and how to comply with it:

What the notification rule requires

The Notification Rule requires providers to notify affected parties of breaches that compromise protected health information (PHI). Notification must be provided “without unreasonable delay” and no later than 60 days of discovering the breach. The settlements listed above indicate how strictly the OCR enforces the rule and holds violators accountable.

Why you need a policy

Breach notification is not something you can do spur of the moment. You must plan ahead and implement a policy that allows you to

  • investigate incidents where PHI has been compromised,
  • determine whether the incident constitutes a breach requiring notification, and if so,
  • process and transmit the appropriate notifications.

Eight things to include in your breach notification policy

Although breach notification policies can be somewhat customized, they must include the following:

1. Incident investigation and breach determination protocols

In your protocol, require designated personnel, e.g., a privacy officer or incident response team, to investigate incidents to determine if they constitute “breaches” requiring notification. Explain what a “breach” is and list examples, and include what information investigators should collect to determine whether the incident constitutes a reportable breach, including the following:

  • The data involved
  • How the information was accessed, used, or disclosed
  • Whether the access, use, or disclosure was authorized by your lab’s HIPAA policies
  • The incident date(s)
  • The date the incident was discovered
  • The number of individual patients whose PHI was or may have been compromised

2. Determination of whether PHI was “secured”

A breach occurs when the compromised data was unsecured; if the data was properly secured, the incident is not deemed a breach and no notification is required. So, require investigators to determine if the compromised data was secured or unsecured and explain how.

  • Data is deemed to be unsecured if it is not encrypted and rendered unusable, unreadable, or indecipherable to unauthorized individuals using a technology or methodology specified by the HHS Secretary.
  • Electronic data is deemed to be secured if (1) it is properly encrypted according to HHS guidance, and (2) the individual or entity with improper access to the information does not have access to the confidential decryption key or process.

3. Determination of whether notification exception applies

A breach occurs when the compromised PHI is unsecured. However, there are two exceptions. Investigators should determine whether either exception applies.

Notification Exceptions
Notification is not required if the incident falls within one of two exceptions:
The unintentional acquisition, access, or use of PHI exception applies if ALL of the following are true:
  1. The unauthorized acquisition, access, or use of the PHI was unintentional.
  2. The individual who acquired, accessed or used the PHI was
    1. a member of the lab’s workforce,
    2. a member of the workforce of a lab business associate, or
    3. a person acting under the authority of the lab or its busin­ess associate.
  3. The individual acquired, accessed, or used the PHI in good faith.
  4. The unauthorized acquisition, access, or use did not result in a further unpermitted use or disclosure.
The inadvertent internal disclosure of PHI exception applies if ALL of the following are true:
  1. The disclosure was made by an individual authorized to access PHI.
  2. The disclosure was made to an individual authorized to access PHI.
  3. Both individuals work for the same organization, which may include the lab, a business associate, or an organized health care arrangement in which the lab participates.
  4. The unauthorized disclosure did not result in a further unauthorized use or disclosure.

4. Risk assessment

If the PHI is unsecured and neither exception applies, the impermissible use or disclosure is presumed to be a breach unless a risk assessment concludes that there is a low probability that PHI was compromised. Thus, investigators should conduct such a risk assessment.

5. Individual notification

If you determine that a HIPAA breach occurred, you must notify affected individuals within 60 days of when you first learned of the incident. Make sure your policy provides for such notification, starting with the individuals whose PHI was or may have been compromised as a result of the breach.

6. HHS/OCR notification

You must also notify the Office for Civil Rights (OCR) of breaches. Unlike individual notices, the 60-day deadline for OCR notice varies depending on the number of individuals affected. To notify HHS, fill out and submit a breach report form on the HHS web site.

7. Media notification

Breaches that affect 500 or more individuals in a state must also be reported to “prominent media outlets” serving the state within the 60-day deadline, typically in the form of a press release.

8. What notification should include

Content requirements for all three forms of notice—patient, HHS, and media—are the same and should be listed at the end of your notification policy.

While notification to HHS is completed via the HHS breach report form, individual and media notification should include the following:

  • Brief description of the breach
  • What type of information was involved
  • What affected individuals should do to protect themselves
  • Brief description of the investigation into the breach
  • Contact information for the covered entity and/or business associate

Takeaway

HIPAA liability for data breaches often depends on what you do after they occur. You have only 60 days to figure out what went wrong, which medical records were involved and, above all, whether the incident constitutes a breach for which breach notification is required. If so, you must prepare and deliver all of the required notifications. Implementing the right breach notification policy gives you the best chance at meeting this challenge.

For further details and instructions, see HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414.


Glenn S. Demby
Glenn S. Demby

Glenn S. Demby is an award-winning journalist with a track record of telling business professionals who aren’t lawyers how to comply with the parts of the law that affect their day-to-day operations. He has expertise in numerous aspects of law including employment, labor, health care, tax, payroll, benefits, and education. He won the Specialized Information Publishing Association’s editorial excellence award four years in a row. A graduate of Columbia University School of Law, he practiced as a corporate lawyer on Wall Street prior to his career as a B2B journalist. In addition to overseeing the content of the four G2 Intelligence monthly briefings, he contributes to the daily Laboratory and Pathology Insider.


Tags:

InformaticsComplianceRegulationsManagementData Management
Top Image:
The price for violating the HIPAA Breach Notification Rule is quite high.
iStock, spxChrome