Are You Required to Report a HIPAA Breach?

The Health Insurance Portability and Accountability Act, also known as HIPAA, creates a number of rules which some parties may find difficult to implement and follow completely correctly, prompting some to question whether it is required to report all HIPAA rule breaches. This may be especially common among organizations that were not covered by HIPAA rules previously or with agencies or institutions that have not experienced breaches.

HIPAA rules must be followed by HIPAA covered entities such as insurance companies or health clinics and their staff. HIPAA was implemented to facilitate operations acts such as transferring patient information between institutions while also requiring that many security features and policies be in place to ensure the privacy of patient data.

The majority of HIPAA covered entities should be aware of how to handle breaches and their obligations under HIPAA in this regard. HIPAA breach notifications must be issued if certain circumstances are met, for example if unencrypted patient data is lost or stolen through a hack or a misplaced portable device. Publishing these notifications is very important in order to remain HIPAA compliant. Parties that do not send notifications when they are required face the possibility of having large fines imposed on them. To avoid his situation and to offer a brief reminder of the main points, below we will discuss the HIPAA Breach Notification Requirements.

An overview of HIPAA Breach Notification Requirements

The various obligations of covered entities are set forth in the HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414. This part of the law calls on HIPAA covered entities and their business associates to report any incident where the confidentiality of electronic protected health information (ePHI) or physical copies of documents or records is breached. In this case, a breach means acquisition, use, access, or disclosure of PHI other than in a way that is allowed under HIPAA.

Breaches may also occur when unauthorized employees or others access records, whether this be done by accident, through improper disclosure, by exposing PHI, or through so-called ransomware attacks. There are some exceptions to this however; if the data that is breached is encrypted and the encryption key remains secure; “any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure”; inadvertent disclosures between two members of staff that are authorized to access the information; or when disclosures occur in cases where there is a good faith belief that the person who made the disclosure would not have been able to retain it.

If a notifiable breach does occur, then there are some requirements as to how this should be carried out. Individuals that are impacted or possibly impacted should be made aware by breach notification letters within 60 days of the discovery of a breach unless law enforcement have asked for a delay. The letters should be sent as soon as this delay request has expired in these events. The Department of Health and Human Services must also be notified – within 60 days in events where over 500 people are affected or within 60 days of the end of the calendar year of the event in cases where fewer than 500 people were affected – i.e. before early March of the next year. Larger breaches also must be notified to the media within in 60 days. If 10 or more impacted people cannot be contacted and notified, a link to a notice must be prominently displayed on the entity’s website.