Among the distressing headlines of 2020, “healthcare data breach” appeared more often than ever before. According to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), 642 healthcare data breaches of 500 or more records were reported in 2020, representing a 25% increase over 2019 and double the number of incidents in 2014.

Data breaches in healthcare have become a daily occurrence and a nearly unavoidable circumstance despite an organization’s best efforts. While a breach may be difficult to avoid, a long-term post-acute care (LTPAC) provider can mitigate the potential consequences by understanding the HIPAA Breach Notification Rule and complying with its requirements.

Understanding the Breach Notification Rule

As with the Privacy Rule and the Security Rule (covered in Part I and Part II of our HIPAA series), the HIPAA Breach Notification Rule, introduced in 2009, pertains to the management of patients’ protected health information (PHI) by covered entities and their business associates.

While the Privacy and Security Rules cover the care and protection of PHI, the Breach Notification Rule stipulates what is required if a breach occurs. Furthermore, the Rule lays out requirements for when and how to notify related parties about a breach.

What Constitutes a Breach?

A breach occurs when an impermissible – according to HIPAA rules – use or disclosure compromises the privacy or security of an individual’s PHI. But how can you determine if PHI has been compromised?

While you may be inclined to view any impermissible action as a breach, there are three instances in which the event would not be considered as such, including:

1. The unintentional acquisition, access or use of PHI in good faith
2. The inadvertent disclosure to an authorized person at the same organization
3. The receiver is unable to retain the PHI

Barring one of these exceptions, any impermissible use or disclosure will be considered a breach unless you are able to demonstrate that there is a low probability that PHI was compromised.

Probability can be determined by performing a risk assessment that includes the following factors:

• The nature and extent of the PHI involved, how much personal or clinical information was disclosed and how identifying that information could be
• The nature of the unauthorized person or entity who used the PHI or to whom it was disclosed and whether that entity was also covered by HIPAA
• Whether the PHI was actually acquired or viewed or if there were simply an opportunity to do so
• The extent to which you have already mitigated any risk to the PHI

When considering these four factors, you will rank each as low, medium or high risk and then view them as a whole to determine an overall risk level. If you determine the overall risk to be anything more than low, then the breach notification requirements apply. It should be noted, however, that it is not necessary to perform a risk assessment if you are certain PHI has been compromised and a breach is present.

An additional distinction of note is whether compromised PHI is unsecured. The notification requirements will only apply if the breach involved unsecured PHI, or PHI that has not been rendered unusable, unreadable or indecipherable through encryption or other technology.

What Are the Notification Requirements?

If you’ve discovered a potential breach for which an exception does not apply nor that has a low probability of risk, then you must comply with HIPAA’s breach notification requirements. It’s important to be aware, however, that some state breach notification laws may be stricter than HIPAA, and you would need to comply with any additional requirements of your state.

Notice to Individuals

You must notify all individuals affected by a breach, and there are a number of accompanying guidelines. The notification must be in written form and sent by first-class mail or by email (only for affected individuals that have agreed to receive such notices electronically). If you have incorrect or outdated contact information for 10 or more affected individuals, you must post the notice on the home page of your website for at least 90 days or post in major print or broadcast media, and it should include a toll-free number that remains active for 90 days.

There are requirements regarding the content of the notice itself, including:

• A brief description of the breach
• A description of the types of information that were involved
• The steps affected individuals should take to protect themselves
• The steps you are taking to investigate the breach, mitigate the harm and prevent further breaches
• Your contact information and that of any applicable business associate

Breach notifications must be sent within 60 days of discovery of a breach (remember to refer to your state’s requirements; i.e., Ohio requires notification no later than 45 days after a breach is discovered). The only exception to this rule, as it pertains to individual notifications, is if a request to delay notifications has been made by law enforcement, in which case notifications should be sent as soon as that request has expired.

Notice to HHS

The Secretary of the HHS must be notified in the event of a data breach. This can be accomplished electronically via the HHS website. The timing of HHS notification depends upon the number of individuals impacted by the breach.

If a breach has affected 500 or more individuals, you have 60 days from the discovery of the breach to notify the Secretary. The HHS does advise, however, that notification should happen without “unreasonable delay.”

Reporting breaches of fewer than 500 individuals can be delayed as long as they are reported within 60 days of the end of the calendar year in which they occurred. Thus, you are able to group smaller breaches and report them at one time on an annual basis. This permitted delay applies only to HHS reporting, not to individual notifications.

Notice to Media

Media notification is required for any breach affecting more than 500 residents of a state or jurisdiction. Notification is generally provided via a press release to media outlets covering the locations in which breach victims reside.

The guidelines for notice to media are similar to that for individuals; notification must be provided no later than 60 days following a breach discovery and it should include the same information required for individual notifications.

Best Practices for Breach Notifications

Violating the Breach Notification Rule can result in consequences that include hefty fines as well as criminal penalties (to be discussed next in our HIPAA series). We’ve compiled a checklist of best practices so that you are prepared for the inevitable breach.

1. Maintain documentation that demonstrates that all required notifications were made in the event of a data breach.
2. Maintain documentation that supports a conclusion that notification was not required, including any risk assessment showing a low probability of a breach or documentation supporting an exception.
3. Keep an updated log of relevant information for any breaches involving fewer than 500 individuals so that all events are included in your annual report to HHS.
4. Maintain written policies and procedures regarding breach notifications, ensure employees are trained on them and administer appropriate sanctions for noncompliance.

The Bottom Line

LTPAC providers have the burden of proof in demonstrating compliance with all aspects of the Breach Notification Rule. This burden can feel heavy for providers already strained by COVID-19-related concerns. Richter can help.

Our professionals have extensive knowledge of HIPAA and its compliance requirements. In the event of a suspected breach, we can help ensure that you’ve met your responsibilities, and we can prepare you for future situations.

Contact Richter’s Skilled Nursing Consultants

Do you have questions about HIPAA, implementing a compliance program or other LTPAC business challenges? Call Richter's LTPAC consultants at 866.806.0799 to schedule a free consultation.