This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Security Incident Procedures: Breach Notification (Required)

Reference: 45 CFR §160.400-424
Last Updated: October 24, 2024

Purpose

Goal: To ensure that all team members are aware of timing requirements and actions needed once a potential breach has been identified.

Procedure: Following a breach of unsecured protected health information the HIPAA Security Officer or designated representative must ensure that the procedures identified below are met based on the conditions of the breach.

Note: The notification requirements only apply to breaches of unsecured PHI. In other words, if PHI is encrypted or destroyed in accordance with the HIPAA guidance, there is a “safe harbor” and notification is not required.

Reminder: Burden of proof requires proof all notifications were made as required or that the use or disclosure did not constitute a breach, hence it is critical that the policies below be followed as written

Policy

Definition of Breach: A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.

Breach Exceptions: There are three exceptions to the definition of “breach.”

  1. The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
  2. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.
  3. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Keep in mind that regardless of the exception, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

    • Initial Considerations. A breach shall be treated as discovered as of the first day on which such breach is known or, by exercising reasonable diligence, would have been known by any person, other than the person committing the breach, who is a workforce member or team member.

Team members who believe that patient information has been used or disclosed in any way that compromises the security or privacy of that information shall immediately notify the Security Manager and his/her Supervisor.

Following the discovery of a potential breach, the Security Manager or designated representative shall begin an investigation, conduct a risk assessment, and, based on the results of the risk assessment, begin the process of notifying each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. The responsible party shall also begin the process of determining what notifications are required or should be made, if any, to the Secretary of the Department of Health and Human Services (HHS), media outlets, or law enforcement officials.

    • Breach Investigation. The Security Manager or his/her designated representative shall be responsible for the management of the breach investigation, completion of the risk assessment, and coordinating with others as appropriate.
      • Risk Assessment. For breach response and notification purposes, a breach is presumed to have occurred unless there is evidence and documentation that there is a low probability that the PHI has been compromised based on, at minimum, the following risk factors:
        • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
          • Social security numbers, credit cards, financial data
          • Clinical detail, diagnosis, treatment, medications
          • Mental health, substance abuse, sexually transmitted diseases, pregnancy
        • The unauthorized person who used the PHI or to whom the disclosure was made.
          • Does the unauthorized person have obligations to protect the PHI’s privacy and security?
          • Does the unauthorized person have the ability to re-identify the PHI?
        • Whether the PHI was actually acquired or viewed.
          • Does an analysis of a stolen and recovered device show that PHI stored on the device was never accessed?
        • The extent to which the risk to the PHI has been mitigated.
          • Is it possible to obtain the unauthorized person’s satisfactory assurances that the PHI will not be further used or disclosed or will be destroyed?

Based on the outcome of the risk assessment, the Security Manager will determine the need to move forward with breach notification. The Security Manager will document the risk assessment and the outcome of the risk assessment process. All documentation related to the breach investigation, including the risk assessment, Shall be retained for a minimum of six years.

    • Notifications: Following a breach of unsecured protected health information, notifications shall be created and distributed in accordance with the categories and instructions identified below.
      • Individuals Affected. If it is determined that breach notification must be sent to affected individuals, a standard breach notification letter (as modified for the specific breach) will be sent out to all affected individuals. This letter shall be sent first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.
        • If there is insufficient or out-of-date contact information for 10 or more individuals, then instead of an e-mail or letter a substitute individual notice shall be posted on the home page, web site for at least 90 days.
          • If changes in the website are not feasible then the required notice shall be posted in major print or broadcast media where the affected individuals likely reside.
          • Regardless of the notification medium used the same will include:
            • Toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach.
              • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
              • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved).
              • Any steps the individuals should take to protect themselves from potential harm resulting from the breach.
              • A brief description of what steps have been taken to investigate the breach, to mitigate harm to individuals, and to protect against further breaches.
              • Contact procedures for individuals to ask questions or learn additional information.
            • Individual notifications shall be provided within 60 days following the discovery.
            • A copy of the notification shall be retained for a period of six years.
            • Department of Health and Human Services (HHS).In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information if the breach affects 500 or more individuals.

If fewer than 500 of the Practice’s patients are affected, the Practice will maintain a log of the breaches to be submitted annually to the Secretary of HHS no later than 60 days after the end of the calendar year in which the breaches are discovered.

HHS notifications shall be provided within 90 days following the discovery.

            • Media. In the event the breach affects more than 500 residents of a stateor jurisdiction, breach notification shall, in addition to notifying the affected individuals, post the notification information in the form of a press release.

This notification shall be release within 60 days after the discovery of the breach. This particular notification will include the same information of the individual notice.

          • Delay of Notification Authorized for Law Enforcement Purposes. If a law enforcement official states that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, then:
            • If the statement is in writing and specifies the time for which a delay is required, the notifications shall be delayed as specified; or
            • If the statement is made orally, the Security Manager shall document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.
          • Maintenance of Breach Information. The Security Manager will maintain a process to record or log all breaches of unsecured PHI, regardless of the number of patients affected. The following information should be collected for each breach:
            • A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known.
            • A description of the types of unsecured protected health information that were involved in the breach (such as full name, social security number, date of birth, home address, account number, other).
            • A description of the action taken with regard to notification of patients regarding the breach.
            • Steps taken to mitigate the breach and prevent future occurrences.
          • Workforce Training. In addition to the regular training conducted the Security Manager shall prepare a lesson plan and/or Security Reminder based on the findings of the breach and remediation procedures implemented.
          • Sanctions. Members of the Practice’s workforce who fail to comply with this policy shall be subject to disciplinary action, up to and including termination.
          • Business Associate. If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach.
            • A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.
          • Business Associates. With respect to a breach at or by a business associate, the Business Associates will notify the Covered Entity or Business Associate, as the case may be, within 60 calendar days after discovery of a breach of unsecured PHI.
          • The Business Associate will also provide to the relevant parties any other available information that may be required to fulfill everyone’s obligations.
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram