Breach Notification Requirements for Healthcare Providers

March 1, 2018 by

Mahwish Khan

The healthcare industry has so many data security regulations that it can become overwhelming. These regulations are developed and implemented at the local, state and federal level, as well as through private organizations. When a breach takes place, there are certain procedures healthcare facilities must follow. In the following article, we define what a healthcare data breach is and outline key breach notification requirements.

What Constitutes a Breach in the Healthcare Industry?

A breach is defined as the disclosure or impermissible use of health data that compromises its privacy or security. A disclosure or impermissible use is considered a breach, except if the entity can provide evidence the health data has not been compromised. This evidence must be established through a risk assessment related to the following:

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Get Started

1. The type of health data involved, including what was identified and if there is any possibility the data could be identified again
2. The individual responsible for the breach, and who the data was disclosed to
3. If the health data was viewed by unauthorized parties
4. To what extent the health data was violated

In terms of the definition of a breach, there are three exclusions. They are:

1. The involuntary acquisition, use or access of health data via an employee or a person working alongside a business associate or covered entity (if access to the data was in line with the rules and regulations).
2. The accidental disclosure of health data via an individual who has been given permission to access data.
3. Whether the person who had access to the data had the ability to retain it or not.

State Regulations For Healthcare Data Privacy Rules

There are only three states that don't have their own privacy laws concerning breach notifications. When state law does not line up with HIPAA, they then look at federal regulations. However, when the state law contains more restrictions than HIPAA, state law is adhered to instead.

Florida Breach Notification Requirements

The difference between state and federal legal requirements is complicated, and often requires legal assistance depending on the state that your company is located in. In Florida, the following is required:

• Business associates and vendors are required to inform the covered entity they are employed by when a breach has taken place. They are expected to do this within ten days of the breach taking place.
• Those affected by the breach must receive written notice within 30 days of the breach.
• If over 500 individuals have been affected, the covered entity must notify the Florida Department of Legal Affairs within 30 days of the breach taking place.

What Is the HIPAA Privacy Rule?

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule enforces standards that protect personal health data kept through:

• Health plans
• Healthcare clearinghouses
• Healthcare providers who conduct electronic healthcare transactions
• Business associates

HIPAA is a federal rule that provides patients with important rights in relation to their health data. This includes the right to request a copy of their health records in any form they desire. It also allows them to request changes on their health records. HIPAA also allows the disclosure and use of health data required for patient care and other important things.

HIPAA Requirements For Breach Notifications

When a breach of health data has occurred, the covered entity is required to notify affected individuals of the breach. They are also required to notify the secretary of Health and Human Services (HHS) and in some instances, the media.

HIPAA Individual Notice Requirements

Covered entities are required to notify individuals if a breach has taken place. This must be sent in writing via direct mail to the individual. If the affected person has given their consent to receive electronic data they can do so via email. If the covered entity doesn't have the correct contact information for more than 10 individuals, they are required to either post a notification on the first page of their website for a minimum of 90 days, or provide a notice of the breach in the news media in the area where those affected reside. In their announcement, they must provide a toll free phone number to allow affected individuals to call and get additional information. This phone number must be available for at least 90 days.

If the covered entity has the wrong contact information for less than 10 people, it must provide information of the breach through a phone call or another method of communication.

These announcements must be sent out within 60 days of a breach discovery, and needs to include the following:

• Information about the type and extent of the breach
• Details about the type of data that was involved in the breach
• Advice for the affected individuals concerning how to prevent further damage
• Details about the steps the covered entity is taking for to properly investigate the breach, diminish harm and put a stop to more breaches taking place
• Contact information for the covered entity

Although the covered entity is responsible for making sure individuals are informed about a breach, they are also allowed to delegate responsibility for contacting individuals to the business associate responsible for the breach. Depending on the circumstances, both parties should work together to discuss who should provide the announcement of the breach.

HIPAA Media Notice Requirements

When a covered entity experiences a breach that affects more than 500 individuals in a particular jurisdiction or state, they are required to notify media outlets and the affected individuals about the breach. The announcement will typically go out as a press release. This media announcement should go out within 60 days of the breach taking place and should include the same information necessary for the individual announcements.

HIPAA Secretary Notification Requirements

As well as notifying individuals who have been affected and the media, a covered entity is also required to inform the HHS Secretary. This can be done by filling out a form on the HHS website. If the breach has affected more than 500 individuals, the covered entity is required to notify the Secretary immediately — within 60 days of the breach taking place. If the breach affects less than 500 people, the covered entity is permitted to notify the Secretary on a yearly basis. Breaches that affect less than 500 people should be reported to the Secretary within 60 days from the end of the calendar year in which the breach took place.

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Get Started

Conclusion

As the number of healthcare data breaches continues to grow, so do the associated risks and costs. Breaches in healthcare data can lead to substantial litigation, regulatory and direct costs. Therefore, it is essential that healthcare organizations are adequately prepared so that breaches are less likely to occur. Organizations should ensure that their incidence response plans are up to date and effective, and that all employees have been adequately trained in all aspects of healthcare data breaches.

Sources

• Healthcare Data Breaches: Managing and Responding to Regulatory and Litigation Risks, XL Catlin
• HIPAA BASICS FOR PROVIDERS: PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES, CMS
• State Data Breach Notification Laws Critical to Healthcare Orgs, Health IT Security
• Incident Response 101: Where Notification Requirements May Differ from HIPAA, Loricca