Clinical labs and other health care providers have become a favorite target for hacking and cyberattacks. While prevention should be your priority, you must also be prepared to respond and minimize the damage when a data breach occurs. Providing timely notification under the HIPAA Breach Notification Rule is a crucial part of breach response. More than one provider has learned this lesson the hard way. The Notification Rule requirements are enforced by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and the price tag for violating these rules is quite high:
- Presence Health in Chicago paid $475,000 in 2017
- Sentara Hospitals in Virginia paid $2.175 million in 2019
- Touchstone Medical Imaging in Tennessee paid $3.00 million in 2019
Here is an overview of the Notification Rule and how to comply with it:
What the notification rule requires
The Notification Rule requires providers to notify affected parties of breaches that compromise protected health information (PHI). Notification must be provided “without unreasonable delay” and no later than 60 days of discovering the breach. The settlements listed above indicate how strictly the OCR enforces the rule and holds violators accountable.
Why you need a policy
Breach notification is not something you can do spur of the moment. You must plan ahead and implement a policy that allows you to
- investigate incidents where PHI has been compromised,
- determine whether the incident constitutes a breach requiring notification, and if so,
- process and transmit the appropriate notifications.
Eight things to include in your breach notification policy
Although breach notification policies can be somewhat customized, they must include the following:
1. Incident investigation and breach determination protocols
In your protocol, require designated personnel, e.g., a privacy officer or incident response team, to investigate incidents to determine if they constitute “breaches” requiring notification. Explain what a “breach” is and list examples, and include what information investigators should collect to determine whether the incident constitutes a reportable breach, including the following:
- The data involved
- How the information was accessed, used, or disclosed
- Whether the access, use, or disclosure was authorized by your lab’s HIPAA policies
- The incident date(s)
- The date the incident was discovered
- The number of individual patients whose PHI was or may have been compromised
2. Determination of whether PHI was “secured”
A breach occurs when the compromised data was unsecured; if the data was properly secured, the incident is not deemed a breach and no notification is required. So, require investigators to determine if the compromised data was secured or unsecured and explain how.
- Data is deemed to be unsecured if it is not encrypted and rendered unusable, unreadable, or indecipherable to unauthorized individuals using a technology or methodology specified by the HHS Secretary.
- Electronic data is deemed to be secured if (1) it is properly encrypted according to HHS guidance, and (2) the individual or entity with improper access to the information does not have access to the confidential decryption key or process.
3. Determination of whether notification exception applies
A breach occurs when the compromised PHI is unsecured. However, there are two exceptions. Investigators should determine whether either exception applies.
|Notification is not required if the incident falls within one of two exceptions:|
|The unintentional acquisition, access, or use of PHI exception applies if ALL of the following are true:|
|The inadvertent internal disclosure of PHI exception applies if ALL of the following are true:|
4. Risk assessment
If the PHI is unsecured and neither exception applies, the impermissible use or disclosure is presumed to be a breach unless a risk assessment concludes that there is a low probability that PHI was compromised. Thus, investigators should conduct such a risk assessment.
5. Individual notification
If you determine that a HIPAA breach occurred, you must notify affected individuals within 60 days of when you first learned of the incident. Make sure your policy provides for such notification, starting with the individuals whose PHI was or may have been compromised as a result of the breach.
6. HHS/OCR notification
You must also notify the Office for Civil Rights (OCR) of breaches. Unlike individual notices, the 60-day deadline for OCR notice varies depending on the number of individuals affected. To notify HHS, fill out and submit a breach report form on the HHS web site.
7. Media notification
Breaches that affect 500 or more individuals in a state must also be reported to “prominent media outlets” serving the state within the 60-day deadline, typically in the form of a press release.
8. What notification should include
Content requirements for all three forms of notice—patient, HHS, and media—are the same and should be listed at the end of your notification policy.
While notification to HHS is completed via the HHS breach report form, individual and media notification should include the following:
- Brief description of the breach
- What type of information was involved
- What affected individuals should do to protect themselves
- Brief description of the investigation into the breach
- Contact information for the covered entity and/or business associate
HIPAA liability for data breaches often depends on what you do after they occur. You have only 60 days to figure out what went wrong, which medical records were involved and, above all, whether the incident constitutes a breach for which breach notification is required. If so, you must prepare and deliver all of the required notifications. Implementing the right breach notification policy gives you the best chance at meeting this challenge.