Have you been the victim of a breach? Maybe not, but perhaps you know someone who has. Either way, deciding what to do next can be challenging if you're unprepared.
First, it's important to determine whether the incident is truly a breach or simply a false alarm, then follow these guidelines to quickly respond.
What is Considered a Breach?
The Department of Health and Human Services (HHS) defines a breach as:
“The unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
The reason I bring this up is that the definition was updated with the latest Omnibus Ruling which no longer includes the “Harm Standard.” This means if you have a release of information of any kind, be it a fax or email to the wrong person, malware attack, loss of unencrypted device, etc., you have a breach. This is different from the early version of the law which required you to prove the information had been compromised. Now, it’s presumed a breach unless proven otherwise.
Steps to Mitigating a Breach
When responding to a breach, HHS expects you to have your response protocol in place BEFORE a breach happens, so we highly recommend including this as part of your HIPAA Compliance Plan. This is the best way to protect yourself if and when a breach does occur. To get started, follow these four steps:
Step 1: Perform A Risk Analysis
This first step is important and is required by HIPAA. Your Risk Analysis needs to be conducted quickly and should be as thorough as possible. Here's what to look for:
- When did the breach start and end?
- What date did you discover the breach?
- Approximately how many individuals are affected?
- What type of breach has occurred?
- Hacking/IT Incident
- Improper disposal of PHI
- Unauthorized Access/Disclosure
- Where did the breach occur?
- What type of PHI is involved?
As you review this information, you will have a better idea of what happened and whether or not a breach actually took place.
Step 2: Contact the Authorities
At this point, if you’ve discovered that indeed this is a breach, and if you determine a criminal act has transpired, contact your local authorities. For malware issues, you may be referred to the FBI to file an official complaint.
Step 3: Notification of Patients
Each patient must be notified of the breach by U.S. Mail, unless you have clearly outlined in your Notice of Privacy Practices that notifications will be sent by email. However, if you determine notifications will be sent electronically, all patients must agree and sign off on this method of communication. This can save you a lot of time and money, so we highly recommend including this clause in your compliance plan. To add this clause, contact your lawyer, or the team at Total HIPAA to make sure this is properly laid out.
The Substitute Notice: This is required when you cannot reach 10 or more individuals. You now have two options: 1) You may post the Notice on your website for 90 days, or 2) You can contact local media outlets and have them post the breach notification.
What is Required to be in the Patient Notification?
A brief description of what happened, the date of the breach and the date the breach was discovered.
A description of the types of unsecured PHI involved in the breach (name, address, date of birth, SSN, health information, treatment codes, etc.)
The steps individuals should take to protect themselves from potential harm. The action could be different for each incident.
A brief description of what the covered entity involved is doing to investigate the breach, to mitigate damage, and to protect against future breaches.
Contact procedures for individuals to ask questions or learn additional information, a phone number, an email address, website or postal address.
Step 4: Notifying HHS of the Breach, or The Rule of 500
Under 500 Patients Affected
If you have a breach of fewer than 500 patients’ information, you are not required to notify HHS at the time the breach is discovered. You will however need to document all the items described above and report the breach to HHS at the end of the calendar year. Notifications must be submitted to HHS within 60 days of the last day of the year and can be filed online using the OCR's notification portal.
Over 500 Patients Affected
If you have a breach affecting more than 500 patients’ information, you are required to notify HHS immediately. You should also verify the HIPAA breach notification rules for your respective state, as these may vary. In several states, such as California, you are also required to notify the Office of the Attorney General. As always, check with your attorney if you have any questions about your specific state’s notification requirements.
What Happens if You Don’t Self-Report a Breach?
If you are chosen for a HIPAA audit and the auditor discovers you have not self-reported breaches, this falls under the Willful Neglect provision, and you may be fined starting at $10,000 per violation. As you can see self-reporting is the better action here.
Did Not Know
$100 - $50k per violation, up to $1.5M per year
$1k - $50k per violation, up to $1.5M per year
Willful Neglect - Corrected
$10k - $50k per violation, up to $1.5M per year
Willful Neglect - Not Corrected
$50k per violation, up to $1.5M per year
Exceptions to Notification Rules
Law enforcement officials may ask the Covered Entity to refrain from posting any notification if they believe it could impede a criminal investigation or may cause damage to national security.
What Happens if your Business Associate is responsible for a Breach?
Unfortunately, this is happening more and more, and though you have a Business Associate Agreement in place, this could still open you up to an audit from HHS as a result of the Common Agency Provision in the Omnibus Ruling.
We recommend that you have a clause in your Business Associate Agreement that states you will be notified within 15 days of a suspected breach of information. Since you are the Covered Entity, it's best that you take the lead on patient notification. Make sure you get a full report from your Business Associate, and what they are doing to mitigate the breach. It’s important to communicate all relevant information to your patients so they can protect themselves.
We hope that you never have to face a breach, but in the event that you do, we hope you'll return and use this blog as a reference. With more and more small medical practices becoming the victims of hacks, malware attacks, lost devices, and employee negligence, it's so important to have a plan in place before you have an issue. Having this plan can save you time, mitigate a breach faster, and ultimately save you money. If you have questions on how to create any required documents, please send us a note to firstname.lastname@example.org, and we can assist you in creating what you need.