As part of HIPAA requirements, organizations that experience a breach of patient information must report the incident, known as the Breach Notification Rule. Details on what constitutes a breach, the breach notification deadline, and reporting a breach are discussed.
What is a HIPAA Breach?
Many healthcare organizations think of a breach as a hacking incident; however, a breach can include several other types of incidents. According to HIPAA, a breach is defined as any incident that leads to the unauthorized use or disclosure of protected health information (PHI). As such, a breach can be a hacking incident, loss or theft of an unencrypted device containing electronic PHI, improper disposal of medical records (whether it be paper or electronic), or unauthorized access to PHI, including by a workforce member.
- HIPAA-Compliance Audit: Summary Report of Violations
- HIPAA Right of Access Enforces Fines in 2020
- HIPAA Compliant Video Chat: Requirements after COVID
- HIPAA Security Measures: Managing Risk in Your Practice
When is the HIPAA Breach Notification Deadline?
The breach notification deadline differs depending on how many patients were affected by the incident. Breaches affecting less than 500 patients must be reported 60 days from the end of the calendar year in which the breach occurred (March 1). Breaches affecting 500 or more patients must be reported no later than 60 days after discovering the incident.
Reporting a HIPAA Breach
All breaches must be reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) and affected patients. Reporting a breach to HHS’ OCR can be done through its online breach portal. When submitting the breach notification to the HHS’ OCR, healthcare organizations are asked a series of questions, including when the breach occurred, the type of incident, and how many patients were affected by the breach. To report a breach to affected patients, providers must mail breach notification letters. The breach notification letter must include:
- A brief description of the breach;
- A description of the types of information that were involved in the breach;
- The steps affected individuals should take to protect themselves from potential harm;
- A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and
- Contact information for the covered entity.
Additionally, if a provider lacks up to date mailing addresses for ten or more patients, the provider must make the breach notification available on its website homepage for 90 days or submit the breach notification to media outlets for publication. For breaches affecting 500 or more patients, the provider must always submit the breach notification to media outlets for publication.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!