­

Breach Notification Requirements

When a breach has occurred, the appropriate notifications must take place as soon as possible and no later than 60 calendar days after the breach is discovered. In addition to notifying individuals, if there are more than 500 individuals affected, then the news media and the Secretary of the HHS must ALSO be notified within the same time frame.

With the Omnibus Rule changes to the definition of business associates and their obligations, the responsibility of breach notifications has changed somewhat. Now, as sub-contractors of business associates assume responsibility of protecting PHI, these organizations are also responsible to make the proper breach notifications to the covered entity.

Covered entities are ultimately responsible for notifying individuals affected by a breach. However, one interesting change is that the covered entity is now free to delegate notification responsibilities to the business associate that suffered the breach OR to another of its business associates.

Whether to individuals, the media or the Secretary of HHS, the written notice must contain the following information:

  • Notification must be written in plain language.

  • A brief description of what happened, including the date and time of the breach and the date of the discovery of the breach to the extent these dates are known (the duration with beginning and ending dates if applicable).

  • A description of the types of unsecured PHI that was disclosed in the breach (i.e., full name, social security number, date of birth, home address, account number, diagnosis, disability code, etc.)

  • Steps that the patients should take to protect themselves from potential harm resulting from the breach of unsecured PHI (such as contacting their credit card companies).

  • A brief description of the actions taken by the physician to investigate the breach, mitigate harm to individuals, and to protect against any further breaches.

  • Contact procedures for individuals to ask questions or learn additional information, including a toll-free number, an e-mail address, website, or postal address.

All-in-One HIPAA Compliance
and Risk Management Solution

VIEW MEMBERSHIP BENEFITS & PRICING

Notice to Individuals

Notice of a breach MUST be provided promptly and in the following form:

  1. Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by email. The notification shall be provided in one or more mailings as information is available. If the organization knows that the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification by first-class mail to the next of kin or person representative shall be carried out.
  2. Substitute Notice: In the case where there is insufficient or out-of-date contact information (including a phone number, email address, etc.) that precludes direct written or electronic notification, a substitute form of notice reasonably calculated to reach the individual shall be provided. A substitute notice need not be provided in the case where there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative.
  • In a case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then the substitute notice may be provided by an alternative form of written notice, telephone, or other means.
  • In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then the substitute notice shall be in the form of either a conspicuous posting for a period of 90 days on the home page of the organization’s website, or a conspicuous notice in a major print or broadcast media in the organization’s geographic areas where the individuals affected by the breach likely reside. The notice shall include a toll-free number that remains active for at least 90 days where an individual can learn whether his or her PHI may be included in the breach.
  • If the organization determines that notification requires urgency because of possible imminent misuse of unsecured PHI, notification may be provided by telephone or other means, as appropriate in addition to the methods noted above.

Notice to Media

Notice shall be provided to prominent media outlets serving the state and regional area when the breach of unsecured PHI affects more than 500 patients. The Notice shall be provided in the form of a press release.

Notice to the Secretary of HHS

Notice shall be provided to the Secretary of HHS as follows below. The Secretary shall make available to the public on the HHS Internet website a list identifying covered entities involved in all breaches in which the unsecured PHI of more than 500 patients is accessed, acquired, used, or disclosed.

  1. For breaches involving 500 or more individuals, the organization shall notify the Secretary of HHS at the same time notice is made to the individuals.
  2. For breaches involving less than 500 individuals, the organization will maintain a log of the breaches and annually submit the log to the Secretary of HHS during the year involved (logged breaches occurring during the preceding calendar year to be submitted no later than 60 days after the end of the calendar year in which the breach was ‘discovered’, not when it ‘occurred’).

Why HIPAA Compliance Training is Important

By |October 21st, 2015|Categories: HIPAA Training|

Why HIPAA Compliance Training is Important HIPAA Compliance is an ongoing process and one of the most important aspects of it is making sure that your staff members participate in compliance training and awareness [...]

Comments Off on Why HIPAA Compliance Training is Important

HIPAA Rules: Back to the Basics

By |October 7th, 2015|Categories: HIPAA Privacy|

HIPAA Rules: Back to the Basics The Health Insurance Portability and Accountability Act (HIPAA) is a complex piece of legislation that has undergone many additions and revisions since it was signed into law in [...]

Comments Off on HIPAA Rules: Back to the Basics

HIPAA Privacy Rule: Reviewing the Fundamentals

By |October 7th, 2015|Categories: HIPAA Compliance Requirements, HIPAA Privacy, Notice of Privacy Practices|

HIPPA Privacy Rule: Reviewing the Fundamentals Almost 20 years ago, the Health Insurance Portability and Accountability Act was signed into law to provide for the continuity of individuals’ health insurance coverage and to increase [...]

Comments Off on HIPAA Privacy Rule: Reviewing the Fundamentals