Take the lead in data protection best practices with our unified SIEM solution!
What is the HIPAA Breach Notification Rule?
HIPAA'sBreachNotification Rule, found in Sections 164.402-414 of the Code of Federal Regulations (CFR), is a set of standards that establish the need for covered entities and their associates to inform individuals whose information might have been leaked. It also establishes clear guidelines on how affected individuals must be informed and when external agencies, like media outlets and the Department of Health and Human Services(HHS), must be brought into the loop.
The goals of the Breach Notification Rule in HIPAA are to:
- Protect individuals: When a data breach occurs, HIPAA's notification policy mandates that patients whose information is exposed have the right to be informed about it. This notification allows them to take steps to protect themselves from potential identity theft or fraud, such as monitoring their credit reports or placing a freeze on their accounts.
- Increase accountability: By requiring covered entities and business associates to report breaches, HIPAA creates a system of accountability. This encourages them to prioritize data security and take appropriate measures to prevent breaches from happening in the first place.
Disclaimer: This guide cites guidance and documents about HIPAA published on the HHS website and the U.S. Government Publishing Office.
What are the requirements of the Breach Notification Rule?
Here's what covered entities have to keep in mind while understanding HIPAA-related breaches. Below, you will see some of the most important sections of HIPAA that pertain to the Breach Notification Rule along with a brief explanation of each of them.
164.402: What is a breach as defined by HIPAA?
According to HIPAA, a breach occurs when a patient's ePHI is accessed or disclosed without consent. This can happen accidentally, like in the case of a healthcare provider sending medical records to the wrong patient, or intentionally through a cyberattack that steals patient data from a hospital's computer system. This section also gives guidelines to determine the severity of a breach.
How HIPAA determines the severity of the breach
The severity of a breach depends on the four-factor test:
- Type of PHI exposed: Information like a patient's full name, address, and diagnosis is more sensitive than basic details like height or weight of the individual.
- Identity of the unauthorized party: As an example, a curious coworker poses less risk than a criminal selling medical data on the black market.
- PHI acquisition vs. viewing: If there is unauthorized access, acquisition, or viewing of PHI, the covered entity (or business associate) must assess whether this incident constitutes a breach. One of the criteria for determining if a breach has occurred is whether the PHI was actually acquired or viewed. This means that the covered entity must investigate whether the unauthorized individuals who accessed the PHI actually looked at or retained the information.
- Mitigating the leak: If the vulnerability that allowed the breach is addressed, the overall risk is reduced.
The covered entity (typically a healthcare provider or health plan provider) is usually obligated to notify patients if their PHI has been compromised. This notification should explain the nature of the breach, the information potentially exposed, and steps being taken to address the vulnerability and prevent future incidents.
What is not a breach under HIPAA?
- Unintentional acquisition, access, or use: The first exception occurs when an authorized individual unintentionally accesses or uses PHI within the scope of their duties, without further disclosing it improperly. For instance, a receptionist might mistakenly open an electronic medical record while searching for a patient's file. Since this action was accidental and within her job responsibilities, it falls under this exception. However, if she intentionally accessed the record out of curiosity, it would constitute a breach.
- Inadvertent disclosure to an authorized person: The second exception applies when PHI is inadvertently disclosed to another authorized person within the same covered entity or business associate, and the information is not further disclosed improperly. For example, a nurse might mistakenly forward lab results to another doctor in the hospital, who promptly notifies the nurse and deletes the email. This accidental disclosure among authorized personnel does not qualify as a breach under HIPAA.
- Inability to retain PHI: The third exception occurs when a covered entity reasonably believes that an unauthorized recipient would not have been able to retain PHI. For instance, a hospital mistakenly sends discharge paperwork to the wrong address, but the package is returned unopened by the postal service. Because there's a reasonable assurance that the intended recipient did not access or retain the PHI, this incident would not be considered a breach. However, if the paperwork were delivered and opened by the unintended recipient, it would require further assessment under HIPAA guidelines.
164.404: How to notify individuals of a data breach
(a) General rule: Following the discovery of a breach of unsecured protected health information (PHI), a covered entity must notify impacted individuals. This includes situations where PHI has been accessed, used, or disclosed without the required permissions.
(b) Timeliness: The notification must be provided promptly and no later than 60 days after the breach is discovered.
(c) What must be included in a breach notification
(1) Elements:
- A concise description of the incident, detailing the dates of the breach and discovery (if known) alongside the types of unsecured PHI involved (e.g., full name, Social Security number, diagnosis)
- Recommendations for affected individuals to safeguard themselves, such as credit monitoring
- A summary of the covered entity's actions taken to investigate the breach, mitigate potential harm, and prevent similar occurrences in the future
- Contact information for inquiries or further details, including a toll-free phone number, email address, website, or mailing address
(2)The notification must be written in clear and understandable language.
ManageEngine Log360 helps you detect, investigate, and respond to threats while meeting compliance requirements.
(d) How to make a breach announcement
(1) Written notice: The preferred method of a data breach announcement is to send first-class mail to the individual's last known address. Alternatively, electronic notification can be used if the individual has previously agreed to receive communications electronically.
(2) Substitute notice: If the covered entity has outdated or insufficient contact information for individuals, a substitute form of notice should be used.
- For breaches affecting fewer than 10 individuals, alternative methods like certified mail, phone calls, or other reasonable means can be employed.
- For breaches impacting 10 or more individuals, substitute notice requires:
- A prominent posting for 90 days on the covered entity's website homepage.
- Or a conspicuous notice published in major newspapers or broadcast media within the affected geographic area.
- In both cases, a toll-free phone number should be included for individuals to inquire if their information might be involved in the breach. The contact number needs to remain active for at least 90 days.
(3) Urgent situations: If the covered entity believes there is a risk of imminent misuse of unsecured PHI, additional notification can be provided by phone or other appropriate means on top of the standard written notice.
164.406: How to notify the media
- If a covered entity experiences a breach of unsecured ePHI affecting more than 500 residents in a state, it must notify well-known media outlets in that state.
- This notification must happen promptly and no later than 60 days after discovering the breach.
- The notification should include details about the breach, as stated in 164.404(c).
164.408: How to notify the Secratary of HHS about a data breach
(a) Standard: If a covered entity discovers a breach of unsecured protected health information,it must notify the Secretary of the HHS. This notification should follow the guidelines outlined in 164.404(a)(2).
(b) Implementation specifications—breaches affecting 500 or more individuals: For larger breaches impacting at least 500 individuals, the covered entity must notify the Secretary at the same time they notify affected individuals under 164.404(a). The notification format should follow the instructions provided on the HHS website.
(c) Implementation specifications—breaches affecting less than 500 individuals: For smaller breaches involving less than 500 individuals, covered entities are not required to notify the Secretary immediately. Instead, they must keep a record (log or documentation) of these breaches. At the end of each calendar year, the Secretary must receive a report from the covered entities containing all such breaches that occurred during the previous year.
164.410: How a business associate should announce a data breach
(1)If a business associate discovers a data breach involving unsecured ePHI, it must notify the covered entity about the breach.
(2) Discovery of a breach: A breach is deemed discovered by a business associate on the earliest date when it became aware of the breach, or when it reasonably should have known about it through diligent monitoring. Knowledge of the breach is attributed to the business associate if any of its employees, officers, or agents (except the person responsible for the breach) were aware of it or should have reasonably been aware with proper effort.
(b) Timeliness of notification: The business associate must notify the covered entity about the breach as soon as possible, but no later than 60 days after discovering it. There are some exceptions under 164.412, but those are not covered here.
(c) What information should the notification include
(1) The notification should include a list of affected individuals, if possible. This means identifying everyone whose unsecured PHI may have been accessed, acquired, used, or disclosed during the breach.
(2) The business associate should also provide the covered entity with any other relevant information they have that the covered entity would need to notify affected individuals under 164.404(c). This information should be provided as soon as possible, either at the time of the initial notification or afterwards as it becomes available.
164.412: When can breach notifications be delayed?
If a law enforcement official requests a covered entity or business associate that notifying individuals about a data breach could hurt a criminal investigation or national security, the covered entity can delay the notification to affected individuals. However, to do this, due process must be followed.
(a) Written statement: The official should provide written documentation specifying a delay period, and the notification can be delayed for that amount of time.
(b) Oral statement: If the communication is verbal, the covered entity or business associate must document it, including the name of the office who requested the delay. The notification can be delayed for a short time, but no longer than 30 days from the conversation. The delay can be extended if the officer provides written justification within that 30-day window.
164.414: Administrative requirements and burden of proof
(a) Administrative requirements:Healthcare providers and health plans (covered entities) must follow specific administrative requirements outlined in164.530(b), (d), (e), (g), (h), (i), and (j) when dealing with patient data privacy under this subpart.
Summary of administrative requirements outlined in section 164.530
(b) Workforce training: Covered entities must implement a program to train their workforce onHIPAA Privacy Rule requirements. This includes understanding patients' rights, how to handle protected health information (PHI), and how to comply with the entity's privacy policies and procedures.
(d) Complaint procedures: Covered entities must have a process for patients to submit complaints about how their PHI is handled. This includes designating a contact person or office to receive complaints and having a clear procedure for investigating and responding to them.
(e) Sanctions: Covered entities must have policies and procedures to address workforce violations of the HIPAA Privacy Rule. This may include disciplinary action or termination depending on the severity of the violation.
(g) Mitigation: Covered entities must have a plan to mitigate any potential harm caused by unauthorized disclosures of PHI. This could involve notifying affected patients, taking steps to prevent future breaches, and reporting the incident to the HHS.
(h) Confidential communications: Covered entities must provide patients with different ways to request confidential communications about their PHI. This could include allowing them to request information by physical mail or through a secure online portal.
(i) Documentation: Covered entities must document their HIPAA Privacy Rule compliance efforts. This includes maintaining records of workforce training, complaints received, and any actions taken in response to violations or breaches.
(j) Retention and disposal: Covered entities must have policies for how long to retain PHI and how to dispose of it securely when it's no longer needed.
(b) Burden of proof: If there's a situation where a patient's information is used or disclosed in a way that violates HIPAA rules in this subpart, the burden of proof falls on the covered entity or business associate, depending on who was responsible. The responsible party will need to show that it properly notified everyone as required by HIPAA, or that the incident did not qualify as a data breach under the definition in 164.402.