HIPAA Breach Notification Rule: What you Need to Know

Blog / HIPAA Breach Notification Rule: What you Need to Know

table of contents icon

Table of Contents

    Leonardo Koshoni
    Leonardo KoshoniMarch 8, 2022

    Head of Business Analysis

    The breach notification rule dictates the action a covered entity must take in the event of a data breach. It outlines the expectations on the time frame, notified parties and how to approach the rectification of the breach.

    This is a key component of the HIPAA regulations. The primary purpose of the HIPAA regulations is to protect patient data in the healthcare system. Whether data is stored, transferred, or used by covered entities, those entities and business associates must be HIPAA compliant

    However, unfortunately, mistakes are made and sometimes data isn’t protected effectively. Breaches do happen, and it’s important to be prepared for this eventuality, rather than addressing the problem retrospectively.

    Construct an action plan for the event of a data breach, or a breach response plan. Ideally, you’ll never have to use it. However, an action plan can help to mitigate and limit the damage of a breach in the event that one does occur. Ultimately, it’s always better to be prepared. 

    breach notification rule

    What is a Breach?

    To prepare for a breach under HIPAA, you need to be able to identify one. This is where a clear understanding of HIPAA and other privacy regulations is key. 

    According to HIPAA, a breach is classified as “acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.”

    Anyone that handles protected health information (PHI) is bound by HIPAA, even digital health projects. The size of the breach may dictate the outcome of penalties and fines, but the breach notification rule is applicable to all breaches to varying degrees. 

    The primary motivation behind HIPAA is to protect those that provide their personal information. The breach notification rule ensures that appropriate parties are aware when their data is no longer protected, regardless of the extent. 

    So, the first step is to identify a breach. Then, you must carry out the required steps of the breach notification process. 

    Who Must be Contacted?

    The HIPAA regulations, and the breach notification rule, were made to ensure the privacy and security of protected health information. Therefore, one of the most important parties to be notified is the person that information pertains to.

    Depending on the size of the breach, this could be a relatively lengthy process. The number of individuals affected by the breach will also dictate media involvement. 

    Firstly, observe the size of the breach. Whether one individuals’ data has been accessed, or thousands of individuals have been affected, you must notify the victims. In the event of a breach of PHI, they must be contacted in written form, whether by post or email. 

    If you don’t have the individuals’ relevant contact information, then information around the breach should be made available to the public. This could include a notice on the website, which must stay online for 90 days. 

    The correspondence between yourself and the affected individuals should include a brief description of the breach, what kind of information was involved, what steps you are taking to investigate and mitigate the damage from the breach, and how the individual can further protect themselves. You should also include contact information, should an individual wish to ask further questions.

    Once you have made the victims aware, you may need to notify the media of a breach of unsecured PHI. If your breach affected the data of over 500 people, you need to make the media aware. This means contacting the major media outlets for your state. You should use the same information that you sent to the individuals affected. 

    Notifying the media is an important step in large breaches, as it ensures that all those affected are made aware of the breach. This gives them every available opportunity to ask questions, and understand associated risks. 

    Finally, you do need to notify the appropriate governing bodies. This includes the Secretary for the Department of Health and Human Services (HHS), and the Office for Civil Rights (OCR). These bodies keep a record of breaches, and monitor issues over time.

    The Time Frame

    Getting the notifications out on time is critical for the mitigation and management of a breach. Your notifications outline protecting measures for victims, and state what mitigating efforts you are taking to help secure their information. This is key information to get out as quickly as possible. 

    If your breach affects over 500 people, you have 60 days after the discovery of a breach to make your notifications to the victims, the media and the HHS/OCR. However, it’s a good rule of thumb to push for 60 days notification time, regardless of the size of the breach. 

    If your breach affects less than 500 people, you have 60 days to notify the victims of the breach. However, you do not need to notify the media. 

    You must still notify the HHS/OCR. However, the time frame isn’t as stringent. You must submit the details of the breach no less than 60 days after the end of the calendar year to meet the reporting requirements. However, it may just be simpler to stick to the 60 days timeframe. This way, you can ensure that you have met all HIPAA breach notification requirements, and avoid a violation. Timeliness of notification could also go a long way for your reputation.

    breach notification rule

    HIPAA Data Breach Risk Assessment

    A data breach risk assessment is a critical component of your post-breach investigation. As part of your notifications, you should have outlined what steps you intend to take to reduce the damage of the breach. Your risk assessment will help you to identify the consequences, vulnerabilities that resulted in the breach, and how to avoid them in the future. 

    There are four key factors to a HIPAA risk assessment:

    1. What kind of protected health information was affected, and to what extent?

    2. Who was the unauthorized party that accessed the protected health information?

    3. Did the organization or individual access PHI or see the protected health information?

    4. To what extent was the risk mitigated?

    Assign a risk level to each of these factors. These criteria should establish the level of potential damage caused by the breach, and how your current safeguards mitigated the damage. This is a good starting point for a breach assessment, and should help you to identify further necessary safeguards. 

    At Vertrical, we understand the importance of the privacy of protected health information. HIPAA compliance not only protects your end-users, but your business, too. That’s why we have teams of compliance experts ready to get to work on your digital health projects. Get in touch today to discuss your next digital health solution.



    You may also like

    Leonardo Koshoni

    American Law is Just as Relevant in Europe as the USA

    European health technology firms are already complying with GDPR and other EU regulatory requirements. Ho...

    Leonardo KoshoniNovember 1, 2021
    Leonardo Koshoni

    What Challenges does GDPR Present to American Companies?

    GDPR, the European Union’s signature data protection law that came into force in the spring of 2018 has b...

    Leonardo KoshoniOctober 20, 2021
    Leonardo Koshoni

    Common HIPAA Violations: What you Need to Know

    HIPAA presents challenges in the digital health space. Sometimes, organizations get it wrong, and they vi...

    Leonardo KoshoniFebruary 24, 2022


    facebook share
    facebook share
    facebook share
    facebook share
    facebook share