A Reminder on the Breach Notification Rule Requirements

February 24, 2017

A recent data breach serves as a reminder to practices about the importance of the Breach Notification Rule's requirements.

Recently, Verity Health System had to notify nearly 10,000 patients that their personal information may have been accessed in an unauthorized manner between 2015 and 2017. By now, everyone in the healthcare industry should know that the Breach Notification Rule and the related requirements apply to covered entities (e.g., providers, clearinghouses and health insurers), business associates (i.e., entities that contract directly with a covered entity) and subcontractors (i.e., entities that contract with business associates).

In light of this, it is a good time to remind physicians what to do in the event of a breach. First, follow your internal policies and procedures for evaluating whether or not there is a high or low probability that protected health information (PHI) was exposed. Examples of breaches include sending bills through the mail to the wrong recipient that includes the PHI of another person whose information they are not authorized to see; having an unencrypted laptop or USB drive stolen; or having a server or email account breached.

Presuming that it has been determined that the high probability of a breach exists, the next step is to identify the number of individuals impacted. The individuals need to be notified by sending by certified mail or if the individual has consented to email. If a breach affects 500 or more persons, a media announcement is required. "Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction," the rule states. Then, the Secretary of the Department of Health and Human Services (HHS) needs to be notified within 60 days of the breach event. Notification is done by filling out and electronically submitting a breach notification form to HHS.

If a breach affects less than 500 individuals, then individual notification is still required within 60 days. Notification to the media is not required. However, an annual report to the Secretary of HHS through the same online mechanism is required.

In sum, HIPAA and HITECH compliance and reporting is more important than ever. Physicians should make sure their staff is trained and that the proper internal and external breach notification reporting procedures are followed.