Do you need to report all incidents of a data breach? Which security incidents should you report to the HHS? How to handle the incidents of data breach?
The Human and Health Services doesn’t penalize providers for HIPAA breaches they report. But, the HHS Office for Civil Rights investigates every case reported to them. They also conduct a HIPAA compliance review of the organization. These actions may lead to enforcement actions by the OCR. And, it may attract lawsuits from people who fear for their privacy.
So, you should access if the incident qualifies as a reportable HIPAA breach or not. If you find that the incident did not compromise protected health information, you don’t have to report it to the HHS.
Keep reading to learn which data breach you should report to the HHS and which you don’t have to report. Second half of the article covers what you should do to handle a HIPAA breach.
HIPAA breach – When you don’t need to report?
If an event of unauthorized access of protected health information (PHI) has happened in your organization, you should first investigate it. The next step is risk assessment. It should be done as soon as the incident is brought to your attention. You must figure out the risks to the PHI stored with you.
The three HIPAA rules are flexible for incidents that carry low probability of compromising protected information. If the risk analysis determines that the risk to PHI is low, you don’t have to report the incident as a data breach to the HHS.
Here are a few cases in which you don’t have to report the incident to the HHS.
The breach notification rule exempts organizations from having to report incidents if they have applied reasonable safeguards to protect the data. Encryption is one such method. If you can show that the PHI was encrypted, or that it was deleted, the incident becomes non-reportable.
Similarly, if the information was accessed or disclosed via a hard copy of a document, but if you can prove that the document was later destroyed, the incident won’t be considered as reportable.
If you can prove that security measures were in place for protecting the PHI, and that there’s a low probability that the PHI was disclosed, the HHS will not consider the incident as a reportable data breach.
Here are seven examples of HIPAA breaches that are not considered reportable under HIPAA.
7 PHI Breaches that are not reportable under HIPAA
- HIPAA permits healthcare providers to use patient data for their treatment, payment and other healthcare operations without patient’s authorization. However, this rule does not apply to a scenario where the provider has agreed with the patient to not to do so.
- Healthcare providers can also disclose patient information to people involved in patient’s care, such as the patient’s family. Again, the disclosure can happen only if the patient doesn’t object to the disclosure and if the provider considers the disclosure to be in the patient’s best interest.
- Another exception is the case in the provider must disclose the PHI for public safety. In the same way, the healthcare provider can disclose the information if it’s required by law or necessary for a government function.
In all the three cases listed about, the unauthorized activities do not breach the HIPAA Privacy rule, so the healthcare provider needs not to report them as data breaches.
- If an employee authorized to access the PHI, looks at the wrong patient’s PHI by mistake; but, doesn’t share, disclose or use that information any further. The access would be considered as done in ‘good faith’.
- If an authorized employee discloses a patient’s PHI to the wrong doctor, and the doctor doesn’t use or disclose that information any further.
- If an employee sends the PHI to the wrong person in your entity, but retrieves it before the person could look at it. The employee should have a good faith belief that the person didn’t have a chance to look at the information.
In the three cases listed above, the probability that the patient PHI has been compromised is really low.
First, they carry a low risk to the patient. And second, the disclosure was made to another person in your own organization, who too has an obligation to comply with your organization’s confidentiality agreement.
Moreover, the access or disclosure was done in good faith, and was within the authority of the employee, and since the employee did not further use or disclose the PHI.
- Another case would be a letter with PHI was sent to the wrong address. If the unopened letter is returned to you immediately, the chances of the disclosed information being viewed or used are low.
In the case above, the quick action has lowered the risk of the PHI being seen or transmitted even further. You may not have to report the incident as a breach.
In most cases mentioned about, the risk to PHI could be mitigated easily. Risk assessment should be carried out as soon as the details of the breach are brought to your attention. Then, carefully determine the risks to the patient’s PHI. You may not need to report the breach, if the risks are low.
But, be really careful. If the incident has more than low probability of compromising the PHI, it becomes a reportable breach.
In a 2017 case, a healthcare provider estimated the number of affected individuals incorrectly. Their risk assessment estimated that only 8 people were affected by the security incident.
The OCR investigation that followed revised that number to almost 600 patients. The investigation which concluded in 2019, led to a penalty of nearly $2 million, and the provider had to enter a two-year corrective action plan with the HHS.
How to handle a HIPAA breach?
If your risk assessment concludes that the breach is a reportable breach. You should prepare for informing the affected people and the Department of Health and Human Services immediately.
Here’s what the HHS expects you to do.
Inform the affected people
You must inform the affected persons without any unreasonable delay. You should notify them within 60 days. The notice should be sent by first-class mail. These notifications can also be sent by email, if the person has agreed for it.
The breach notification must include the information listed below.
- Description of the breach
- The PHI involved
- Steps that the person should take to protect themselves
- Actions that the healthcare organization is taking to mitigate the risk
- Actions the organization is taking to protect against future violations
- How the individual can reach out to the healthcare provider
How to inform people if you don’t have correct addresses
Here’s what you need to do if you lack addresses for 10 or more people –
- You’ll need to put up the notification over the homepage of your website. The notification should remain on your homepage for at least 90 days,
- Or you can choose to use newspapers, television channels and radio to notify the affected individuals.
- These notifications should include a toll-free number that remains active for 90 days.
If you don’t have proper addresses for less than 10 people, then you should either call them or use other means to reach them.
You can read more about how to notify the affected individuals here.
Share the information with the Department of Health and Human Services
You’ll need to act differently depending upon the number of affected people.
If the PHI of 500 or more people was compromised
If the incident affects 500 or more people, you must notify the HHS immediately. They should receive a notification from you within 60 days of the incident.
If the PHI of less than 500 people was compromised
However, if the incident affects fewer than 500 people, you don’t have to inform HHS immediately. You can wait until the end of the calendar year for filing your report.
Visit this page for instructions on how to notify the HSS.
Inform the media
If the incident involves 500 or more people, along with the HHS, you must also inform various media outlets. This too must happen within 60 days. The notification that you publish should include the information that we covered above.
Recording incidents of PHI breach
You must document every security incident – whether it’s reportable or not. Here’s what your incident log should have –
- Date the incident happened
- Details the entity that received the PHI in error
- Description of the PHI in question
- The reason why it happened
Remember, not all security incidents are data breaches. However, every breach reported to the HHS calls for an OCR investigation, and a HIPAA review of your organization. Auditors can review documents for the last 6 years. So, employ discretion whenever such an incident occurs.
Conduct an exhaustive risk analysis. Figure out how the incident could affect the security of the PHI. These steps might prevent you from reporting an incident unnecessarily.
If you have any queries about the HIPAA breach notification rule, or if you want to discuss reportable and non-reportable incidents with our readers, please leave your comments in the section below. Our readers would love to share their views with you.