Your practice has discovered an unauthorized disclosure involving patient information but you’re not sure whether or not it’s a breach, and if so, what steps to take. According to the HITECH Act, following a breach of unsecured protected health information (health information that is not rendered unusable, unreadable, or indecipherable), covered entities (i.e. healthcare providers) must provide notification of the breach to affected individuals, the Secretary of the Department of Health and Human Services (HHS), and, in certain circumstances, to the media. In addition, business associates who discover a breach must notify covered entities.
Answering the following 5 questions will help you address the disclosure while complying with the Breach Notification Rule.
1. Was the disclosure a breach?
A breach is an impermissible use or disclosure that compromises the security or privacy of protected health information (PHI). A breach of PHI is presumed unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised, based on a written risk assessment of at least the following factors:
• The nature and extent of the PHI involved;
• The unauthorized person who accessed the PHI;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.
2. How many patients were affected by the breach?
The action your practice must take depends on how many individuals were affected by the breach.
If the breach involves < 500 individuals, you must notify each person by mail or email (if you’ve received permission to email) without unreasonable delay, but no later than 60 days following the discovery of the breach. If you have out-of-date contact information for < 10 individuals you may use an alternate form of contact (e.g. telephone). If you have out-of-date contact information for > 10 individuals you must post a notice (including a toll-free number) on the homepage of your website for at least 90 days. If you don’t have a website, you must contact the local media. Lastly, the Secretary of HHS must be notified no later than 60 days after the end of the calendar year in which the breach is discovered.
If the breach involves >500 individuals, each person must still be notified by mail or email (if permissible) without unreasonable delay, and no later than 60 days following the discovery of the breach. In addition, you must notify the local media outlets serving the area where the affected individuals likely reside. Finally, the Secretary of HHS must be notified without unreasonable delay, but no later than 60 days following the breach.
3. What must be included in the notification?
Individual notifications must include the following information:
• A brief description of the breach;
• The types of information involved in the breach;
• The steps affected individuals should take to protect themselves from potential harm;
• A brief description of what is being done to investigate the breach, mitigate the harm, and prevent further breaches; and
• Contact information for your practice (or business associate, as applicable).
4. What if we receive a breach notification by a business associate?
If the breach of unsecured PHI occurs at or by a business associate, the business associate must notify you without unreasonable delay, but no later than 60 days from the discovery of the breach. An earlier time frame should be used when drafting Business Associate Agreements, in order for your practice to have time to investigate and notify patients within the required 60 days. To the extent possible, the business associate should provide your practice with the identification of each individual affected by the breach as well as any other available information required to be provided by you in your notification to affected individuals.
5. How do we report a breach to the HHS Secretary?
Fill out and electronically submit a breach report form to: