You already know that the HIPAA Breach Notification Rule requires you to notify all individuals whose protected health information (PHI) is compromised in a breach. But who else needs to be notified, and how? When do you have to send breach notification letters? Your breach notification requirements are determined by the overall level of risk caused by the breach. We’ve looked at the four-factor breach risk assessment that you used to find the probability that PHI was compromised. If you found the risk to be greater than low, then it’s time to send out notifications.
This post will cover how to notify individuals, the secretary of Health and Human Services Office for Civil Rights (HHS/OCR), and the media. We’ll also look at when to send a substitute notice, the responsibilities of business associates, what to do when contacted by law enforcement, and why you should document the entire process.
You must notify all individuals whose PHI was compromised in the breach no later than 60 days after discovering the breach. Send a notification letter by first-class mail to the last known address, or send an email if the individual has previously agreed to electronic communication.
If your records show that the person is deceased, the notification letter can be sent to the next of kin or personal representative. In the next post, you’ll learn how to write a breach notification letter and see a breach notification letter template.
What if You Have Outdated Contact Information?
If you have insufficient or outdated contact information and can’t mail a written notification letter to some individuals, then you’ll need to make a substitute notice. The type of notice depends on how many people you’re unable to send a notification letter to.
- 1-9 individuals: You may use an alternative written notice, phone call, or other means to reach these individuals. If you feel that you must urgently notify them because of the threat to their unsecured PHI, then you may want to contact them by phone as well as by written notice.
- 10+ individuals: Post a conspicuous substitute notice for 90 days on your website homepage. The notice could also appear in major print or broadcast media in the regions where the individuals likely reside. It may be appropriate to use local, city, and State-wide media or multiple media outlets, depending on the circumstances and what you consider necessary to reach them.
Furthermore, a substitute notice doesn’t apply to the next of kin or personal representative but only to the person affected by the breach. A substitute notice must include a toll-free number that is active for at least 90 days, which an individual can use to get more information about the breach.
You must also notify the secretary of HHS/OCR either immediately or annually, depending on the number of individuals whose PHI was compromised.
- 1-499 individuals: Maintain an annual breach log and use it to notify HHS/OCR no later than 60 days after the end of that calendar year.
- 500+ individuals: Notify HHS/OCR within the same timeframe that you notified affected individuals and no later than 60 days after discovering the breach.
Notify the Media
If the breach involves more than 500 residents of a State or jurisdiction, you must notify prominent media outlets serving that State or jurisdiction. You’ll send the media the same information that you sent to individuals in their notification letters no later than 60 days after discovering the breach. Be as prompt as possible.
What are Business Associates’ Responsibilities?
Additionally, the breach notification rule applies to business associates (BA). When a BA discovers a breach, they should notify you or conduct a breach risk assessment, depending on your business associate agreement (BAA). The first day a BA knows of a breach – or would have known of the breach if they’d exercised reasonable diligence – is considered the day the breach is discovered. The breach must be known to anyone other than the person who caused it, including an employee, officer, or other agent of the BA.
If the BA is not an agent of your organization, then the 60-day notification clock doesn’t begin until they notify you. However, if the BA is acting as an agent of your organization, their discovery date is imputed to you. Therefore, you must notify affected individuals based on the timeframe that the BA discovered the breach, not based on when the BA notified you. To avoid confusion about breach notification requirements, it’s important you identify these responsibilities in your BAA.
What if Law Enforcement Delays Breach Notification?
In some situations, law enforcement may ask you to delay sending breach notifications because it may impede a criminal investigation, hinder national security, or harm your organization or a BA. Pay attention to how the delay request is delivered by law enforcement.
- Verbal request: You may postpone notifications, but for no longer than 30 days.
- Written request: You must delay notifications and notices for the amount of time requested.
There are a lot of moving parts when it comes time to send out breach notifications. It’s important that you document all your security incidents and notifications because you and your BAs have the burden of proof. Can you demonstrate that you notified all parties? Can you prove that the impermissible use or disclosure wasn’t a breach in the first place? Maintain clear records of how you addressed any impermissible use or disclosure, including:
- The facts of the incident
- Any investigative documents
- The exception you applied, if any
- The breach risk assessment that led to your conclusion
The goal is to be well-armed and prepared to respond to potential breaches, notify all parties correctly and on time, and maintain records that demonstrate your breach notification compliance efforts. Read the U.S. Code of Federal Regulations for more detail about breach notification requirements.
HIPAAtrek can help you create a culture of security compliance. In the HIPAAtrek platform, you can record the details of all security incidents and use the integrated Breach Risk Assessment Tool to determine if the incident was a breach. This feature makes documentation easy and leaves an auditable trail of compliance. Request a demo or contact us for more information.