HHS developed the Breach Notification Rule as an addition to HIPAA to ensure covered entities and business associates take responsibility for and inform patients of breaches to their protected health information. In this article, we’ll go over what your team needs to know to help you ensure compliance.
To learn more about the Privacy Rule, click here.
To learn more about the Security Rule, click here.
WHAT IS HIPAA
HHS wrote the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to improve the safety and privacy of medical information following the advent of electronic health records (EHR). Before this, there weren’t federal laws to regulate the protection and exchange of medical records.
Instead, these were fairly lawless times in this regard. While most healthcare providers would act reasonably, there were plenty of issues. For example, patients couldn’t always get copies of their medical records. Their employers, however, could acquire them via their health insurance provider.
Additionally, because EHR technology was fairly new, companies didn’t have the same security pressures. In many cases, there was little stopping these companies from using mediocre security measures to save money on development.
These issues and more continued until The Department of Health and Human Services (HHS) intervened by creating HIPAA. This defined important terms like protected health information (PHI) and set regulatory baselines for how medical information can be disclosed.
It’s difficult to estimate the number of people whose lives were affected by what is now a breach of HIPAA. Without protections to safeguard medical information, personal issues could easily become public.
For example, consider an employer asking for medical records to learn more about a new hire. In these records exists sensitive information that patients willfully shared with their healthcare providers.
What happens when one of these providers shares the records and something inside leads the employer to turn down their application? Now the patient’s information is in the wrong hands and being used maliciously. In future appointments, this could lead the patient to withhold information from their doctor, potentially causing major complications.
WHAT IS THE BREACH NOTIFICATION RULE
The Breach Notification Rule was passed in 2009, following the Security Rule in 2005 and the Privacy Rule in 2000. While the previous two sets of HIPAA rules focused on ensuring the safety of protected health information, the Breach Notification Rule focused on what happens when PHI is used, viewed, or disclosed without authorization.
Before we look at the various key aspects of this rule, we must define what constitutes a breach. In basic terms, a breach generally refers to the use or disclosure of PHI that is non-compliant with the Privacy Rule.
An impermissible use or disclosure of PHI isn’t always guaranteed to constitute a breach, however. With a risk assessment, covered entities and business associates can prove that there’s a low probability PHI has been compromised.
To prove that a breach has not occurred, the following points must be identified:
- The nature of the phi and the extent to which it can be used to identify the patient.
- The identity of the unauthorized individual who used, disclosed, or received the PHI.
- If an unauthorized individual accessed the PHI.
- Measures to mitigate the risk after the incident.
If a breach has occurred, the Breach Notification Rule requires the covered entity or business associate to submit a notification. The extent of this notification is based on the size and nature of the breach.
NOTIFICATION REQUIREMENTS
As mentioned above, covered entities and business associates must send notifications for every breach that can’t be proven riskless. The required notifications are based on the size and nature of the breach, and larger breaches require greater notification efforts.
First, a risk assessment must be conducted to determine if and how unauthorized individuals accessed and/or used PHI. Notification isn’t required if the covered entity or business associate can prove that the PHI hasn’t been used or disclosed.
For example, if medical records were encrypted and the means to decrypt aren’t available to the unauthorized individual. Strong encryption measures are practically unbreakable, so encrypted PHI is useless to a potential identity thief or hacker.
If the risk assessment cannot prove that the PHI wasn’t used and/or disclosed, notifications are necessary. It must then be determined how many individuals were affected by a breach.
BREACHES AFFECTING <500 INDIVIDUALS
If a breach affects less than 500 individuals, the notification requirements are lesser than the alternative. In these smaller breaches, covered entities and business associates are only required to notify the affected individual(s) and the Secretary of HHS. The timeline of when such breaches must be announced is also more lenient than that of larger breaches.
For the individual notice, CEs and BAs must send notification via either email or first-class mail. The CE or BA must send these notifications without unreasonable delay within 60 days of breach discovery. This notice must include the following information:
- A description of the breach
- The type(s) of information breached
- The covered entity or business associate’s contact information
- Information about what steps the covered entity or business associate is taking to investigate the breach, minimize harm, and prevent future breaches
- Steps the individual(s) affected can take to minimize the potential harm of the breach
In addition to the individual notification, the CE or BA must submit notice to the Secretary of Health and Human Services. For breaches that affect less than 500 individuals, the CE or BA doesn’t need to notify the Secretary immediately.
Instead, covered entities and business associates can include these breaches in an annual report to HHS. The CE or BA must submit this report to HHS within 60 days of the end of the calendar year.
HHS doesn’t require the CE or BA to notify the media for these smaller breaches.
BREACHES AFFECTING 500+ INDIVIDUALS
If a breach affects 500 or more individuals, covered entities and business associates must adhere to the stricter notification requirements. In these breaches, CEs and BAs must notify the individuals affected, the Secretary of HHS, and the media.
The individual notices are identical to the above category. CEs and BAs must notify patients via either email or first-class mail. The CE or BA must send these notifications without unreasonable delay within 60 days of breach discovery. This notice must include the following information:
- A description of the breach
- The type(s) of information breached
- The covered entity or business associate’s contact information
- Information about what steps the covered entity or business associate is taking to investigate the breach, minimize harm, and prevent future breaches
- Steps the individual(s) affected can take to minimize the potential harm of the breach
The notice to the Secretary is similar to smaller breaches, but the timeline is different. Instead of including these notices in the annual report, they must be reported right away. For these breaches, CEs and BAs must notify the Secretary without unreasonable delay and within 60 days after the breach.
Additionally, for breaches that affect 500+ residents of a state or jurisdiction must notify relevant and prominent media outlets. This notification must occur within 60 days of breach discovery and shares the same information requirements as the individual notification. Media notification most frequently comes in the form of a press release.
In order to provide the most accurate notifications and guidelines, it’s important to follow the 4 steps of risk assessment.
RISK ASSESSMENT
Risk assessment is the process following breach discovery that estimates the chance of risk to the affected individual(s). There are 4 points of information that together adequately assess the patients’ potential privacy and security issues after a breach.
HHS ranks the risk level as low, medium, or high depending on the outcome of the assessment. Low-risk breaches don’t always require notification, and risk assessment isn’t even necessarily a requirement. Instead, you can assume that the PHI has been breached and notify all required parties.
If you do choose to perform a risk assessment, answer the following questions and estimate the risk from low to high.
- What type of PHI did the CE or BA potentially breach and to what extent?
In addition to determining the sensitivity of the PHI (such as psychotherapy notes and HIV status), investigate the PII present. This could include name, address, DoB, SSN, and other information that may help identify the individual.
- Who received the PHI without authorization?
If breached PHI another individual or organization responsible for the privacy and security of PHI received the PHI, they will likely not breach it. Try to determine who received the information and what they may do with it.
- Did the recipient view or use the PHI?
What are the chances that an unauthorized individual viewed PHI? A password-protected laptop is more likely to be secure than a fax or letter to the wrong person.
- What steps have your organization taken to minimize the risk?
Your immediate response to breach discovery should be rectification. Attempt to destroy the breached information or render it unusable if possible. If the CE or BA can recover PHI or obtain assurances that the recipient will destroy it without viewing or using it, the risk will be lower.
REDUCING THE RISK OF BREACHES
The risk of breaching PHI is ever-present in the healthcare industry, but the stakes have never been higher. As hackers develop news ways to breach information, improved defenses are essential.
While the Breach Notification Rule regulates what happens after a breach, you must look elsewhere for ways to prevent breaches. The Privacy Rule and Security Rule, both of which predate the Breach Notification Rule, set regulations to safeguard PHI.
The best way you can help protect your organization is by using these two other rules as baseline standards. You can never be too secure though, so it may be worth bolstering your defenses beyond base regulations.
Unsure what these rules entail?
In addition to following the rules and regulations set out in the above rules, you can also consider real-life examples of breaches and set up organizational guidelines to mitigate the risk of similar events. Here are three examples:
A laptop stolen from a healthcare worker’s car breached over 20k records. CEs and BAs should ensure all devices containing PHI are protected with strong passwords and never left unattended in public spaces.
A copy machine rental oversight breached the PHI of nearly 345,000 individuals. CEs and BAs should clear out all copiers and fax machines before disposing of them or returning them to a leasing company. Click here to learn why.
A misconfiguration that made records appear in a basic Google search breached the PHI of over 1,000,000 individuals. Health IT professionals must take extreme care to correctly configure servers that house PHI and regularly check for weaknesses.
A large PHI breach can carry immense financial penalties and damage the reputation of your organization for years.
CHARTREQUEST PREVENTS BREACHES
The best way to reduce the burden of the Breach Notification Rule is to reduce the chances of a breach. That’s where we come in.
ChartRequest strives to provide the most secure, user-friendly, and efficient medical records exchange platform possible. Our 7-step release of information workflow catches errors before they can happen, saving you the stress of notification.
When you benefit, your patients benefit too. Finding out your personal information has been violated is a terrible feeling. Unfortunately, a single incorrect number entered into a fax machine can send PHI to the wrong person.
You can’t always know who’s at the end of a fax machine. Don’t leave the security of medical records exchange up to chance. Click here to see which partnership option is best for you.