The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

As part of the HITECH revisions to HIPAA, providers are required to report all HIPAA breaches, regardless of the number of individuals affected to HHS on an annual basis. If a breach of unsecured protected health information affects 500 or more individuals who are residents of a single state, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. The deadline this year for the report is Friday, March 1, 2017. 

Providers who have had breaches affecting less than 500 individuals can report the HIPAA breaches electronically here, on the HHS website. This report needs to be filled out for each breach that occurred during the 2016 calendar year. For example, if a covered entity had a breach in March of 2016 affecting five individuals and another breach in August 2016 affecting two individuals, the report must be submitted for each breach but not for each individual (a total of two reports would be submitted in this example).

To fill out this form covered entities will need to submit the following information about the breach:

  • General information regarding the covered entity
  • Whether the breach occurred at or by a Business Associate and the associated contact information for that Business Associate
  • Date of the Breach
  • Date of Discovery (first time any employee is aware of the breach)
  • Approximate number of individuals affected by the Breach
  • Type of Breach (i.e. theft, loss, unauthorized access, etc.)
  • Location of breached information (i.e. laptop, thumb drive, e-mail, etc.)
  • Type of Protected Health Information involved in the Breach (i.e. demographic, lab results, etc.)
  • Description of how the Breach occurred
  • Safeguards in place prior to the Breach (i.e. firewalls, physical security, etc.)
  • Date individuals were notified of the Breach
  • Whether substitute notice was required
  • Whether media notice was required (necessary for breaches affecting over 500 individuals)
  • Actions taken in response to the Breach (sanctions, mitigation, etc.)
  • Any additional actions taken
  • Attestation

Assessing If A Data Breach Occurred

A question we get asked often is how to determine if a breach has actually occurred. Remember, by definition, it is impossible to have a breach if the health information is appropriately encrypted in accordance with algorithms specified by CMS. Based on the HIPAA Omnibus Rule, the government uses four factors to determine the likelihood that PHI was inappropriately used or disclosed:

1. The nature and extent of the PHI involved.
Identifying financial and demographic data: Social Security number, credit cards, bank checks, financial data
b. Clinical data: Diagnosis, treatment, medications
c. Behavioral health, substance abuse, sexually transmitted diseases

2. The unauthorized person who used the PHI or to whom the PHI was disclosed.
Does the person have obligations to protect privacy and security?
b. Does the person have the ability to re-identify the PHI?

3. Whether the PHI was actually viewed or accessed.
For example, was a stolen laptop later recovered and IT analysis found that PHI was never accessed, viewed, transferred or otherwise compromised, although opportunity existed?

4. The extent to which the risk to the PHI has been mitigated.
Can the person who received the PHI provide satisfactory assurances that the PHI will not be further used or disclosed or that it will be destroyed?
b. What level of effort has been expended to prevent future related issues and or to lessen the harm of the actual breach?

In the Preamble to the Omnibus Rule, HHS emphasizes that it expects such risk assessments to be thorough and completed in good faith, and the conclusions reached to be reasonable.

The covered entity must also consider the reliability of the person or entity that received the improperly disclosed PHI.  If an evaluation of the factors discussed above fails to demonstrate that there is a low probability the PHI has been compromised, Breach Notification is required.

Remember notification for breaches occurring in 2016 affecting under 500 individuals must be made before Friday, March 1, 2017. If you need assistance in determining if your incident is a breach, or help in filling out the HHS notification form, contact one of the authors listed above at Woods Rogers.