In this lesson, we're going to tackle your worst nightmare – there's been a data breach or HIPAA violation and you need to take action. We'll provide you with the necessary steps to handle such an event, and at the end of the lesson, we'll provide you with a few more details about the HIPAA Breach Notification Rule.

Let's assume your business or organization has had a breach. These are the steps you need to take now that the breach has occurred.

  1. Notify your privacy or compliance officer and let him or her know about the breach.
  2. Initiate a data breach risk assessment.
  3. Notify all impacted individuals within the required time frame.
  4. Provide a formal report to the HHS within 60 days unless your state requires it sooner.
  5. Notify your local media if the breach impacted more than 500 individuals.

Pro Tip #1: HIPAA regulations require you to notify impacted individuals within 60 days. However, multiple states like Texas, Wisconsin, North Carolina, Alabama, and others have more stringent laws that require notification to take place more quickly. Other states appear to be following suit. So, the moral of the story: Time is of the essence.

Once your privacy officer has been alerted of the breach, he or she must initiate a data breach risk assessment to determine what PHI was breached and how many individuals have been affected.

A formal report must be compiled and reported to the HHS within 60 days. You also must notify all impacted individuals within the same amount of time. However, if your state law is more stringent, you must abide by the state law.

Media Notice Rule

The media notice rule requires covered entities to report breaches that involved more than 500 individuals to local news outlets. If dealing with this size of breach, your privacy officer would need to contact local television and newspaper outlets and provide a notification of the breach.

Here is just some of the information that a breach notification should include:

  • A brief description of the breach
  • The types of information involved in the breach
  • The steps affected individuals should take to protect themselves from potential harm
  • A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches

Pro Tip #2: If a covered entity has insufficient or out of date contact information for 10 or more individuals, the covered entity must substitute an individual notice by either posting a notice on their website for at least 90 days or by providing the breach notification to all major media outlets in the areas affected.

A Word About the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of ePHI and issue a notice to the media if the breach affects more than 500 patients.

There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports to be made annually.

Breach notifications should include the following information:

  • The nature of the ePHI involved, including the types of personal identifiers exposed
  • The unauthorized person who used the ePHI or to whom the disclosure was made (if known)
  • Whether the ePHI was actually acquired or viewed (if known)
  • The extent to which the risk of damage has been mitigated

Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach. When notifying a patient of a breach, the covered entity must inform the individual of the steps they should take to protect themselves from potential harm, include a brief description of what the covered entity is doing to investigate the breach and the actions taken so far to prevent further breaches and security incidents.