Breach Notification Requirements

Your Practice and Breach Notification Requirements

2013 Revised Breach Notification Requirements 

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires physicians, health plans, and other covered entities to notify individuals when their unsecured health information is breached. Covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures. The HITECH Act also provides guidance on proper methods of encryption and destruction of health information. The updated rules went into effect March 26, 2013 and practices were required to comply by September 23, 2013.

What is unsecure?

The regulations define “unsecured protected health information” as “protected health information that is not secured through the use of a technology or methodology specified by the Secretary of HHS in guidance.” This guidance was initially published in the Federal Register on April 27, 2009 and revised in the Federal Register( published on January 25, 2013.

In essence, the guidance outlines ways to render the protected health information (PHI) as unusable, unreadable, or indecipherable to unauthorized individuals.

  • Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”
  • The media on which the PHI is stored or recorded have been destroyed in one of the following ways:
  • If the information is de-identified, then it is not protected health information and thus does not require breach notification.

If the protected health information is secured in accordance with the guidance, there is no need to provide notification if there is a breach of that information.

What is considered a breach?

The definition of a breach was revised under the updated rules that went into effect on March 26, 2013. 

Under the previous rule, a breach was defined as the “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information (e.g. poses a significant risk of financial, reputational, or other harm to the individual), except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”

Under the new rule, a breach is presumed to have occurred (regardless if it poses a significant risk of financial, reputational, or other harm to the individual), unless a risk analysis based on the following four factors can prove there is a low probability that the patient’s Protected Health Information (PHI) was compromised:

  1. The nature and extent of the PHI involved, which includes the ability to re-identify the information and the type of PHI included, such as social security number, date of birth, etc.
  2. The person to which the unauthorized disclosure was made.
  3. Whether or not the PHI was accessed or viewed by the unauthorized individual.
  4. If steps have been taken to reduce the risk to the privacy and security of the PHI. For example, obtaining a signed confidentiality statement or agreement from the unauthorized individual.

Who must be notified?

In all breaches, any individual whose PHI has been inappropriately released is to be notified. The notification must contain the following information:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach.
  • A description of the types of unsecure PHI involved.
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach.
  • Brief description of actions taken by the covered entity to investigate the breach and mitigate potential harm.
  • Contact information, including a toll-free phone number.

This notice must be provided by first class mail, unless the individual has authorized the use of an electronic mail address for such notices. All notices must be issued within 60 days of discovery of the potential breach and there cannot be unreasonable delays in providing notice (i.e., if one discovers and confirms a breach in ten days they cannot wait until day 60 to provide the notice).

If there are fewer than ten individuals for whom the covered entity does not have sufficient contact information to provide written notice, the covered entity can provide substitute notice through an alternative form of written notice, by telephone or other means.

If there are ten or more individuals for whom the covered entity does not have sufficient contact information to provide written notice, the covered entity must provide substitute notice through either a posting on their Web home page for 90 days or notice in major print or broadcast media. The covered entity must also provide a toll-free phone number, active for 90 days, where individuals can learn whether their information was part of the breach.

If there are over 500 individuals involved in the breach, the covered entity must notify the Secretary of HHS within 60 days. If there are 500 individuals from the same state or jurisdiction, the covered entity must also notify the local media that a breach occurred.

The covered entity is required to retain a log of all breaches and submit an annual report to the Secretary of HHS on those breaches. Since the burden of proof for breach exceptions and adequate notification lies with the covered entity, it is important for them also to keep documentation of any investigation of potential breaches and all notification activities.

How can I ease compliance?

  • Encrypt all electronic information when feasible.
  • Establish a plan to investigate potential breaches and deploy notifications.
  • Educate workforce on requirements for breach identification.
  • Discuss ways to decrease the likelihood of breaches.
  • Create a documentation process for cataloging real and potential breaches and resulting actions
  • Ask vendors and business associates how they are protecting health information and complying with the breach notification requirements.
  • Set up a process to make sure your contact information for all patients remains up to date and that you ask for authority to send breach notification via electronic mail.