Information to include in a breach notification

Healthcare organizations have the responsibility of informing those impacted by data breaches. These notifications have to include information that enlightens patients as to the forms of data compromised. An American Medical Association article further establishes, “HIPAA only requires breach notification for unsecured PHI (e.g., unencrypted PHI). As such, physicians are encouraged to use appropriate encryption and destruction techniques for PHI, which render PHI unusable, unreadable or indecipherable to unauthorized individuals.” There is also often additional information related to the steps the organizations have taken to investigate and prevent further harm.

Information included in a data breach notice 

Information for individual notification 

• A brief explanation of what happened, including the date of the breach and the date of discovery, if known.
• A description of the types of unsecured protected health information (PHI) involved, such as full name, Social Security number, date of birth, home address, account number, diagnosis, or disability code.
• Guidance on the actions individuals should take to protect themselves from potential harm resulting from the breach.
• A description of what the covered entity is doing to investigate the breach, mitigate harm to individuals, and prevent further breaches.
• Contact procedures for individuals to ask questions or obtain additional information. This includes a toll-free telephone number, email address, website, or postal address.
• HIPAA breach notifications must be sent within 60 days from the date of breach discovery. Notifications should be issued without unreasonable delay.

Information for notifying Department of Health and Human Services (HHS)

Notifications must be submitted to the Secretary of the Department of Health and Human Services via the Office for Civil Rights breach reporting tool.

• Breaches impacting more than 500 individuals: The covered entity must notify HHS without unnecessary delay and no later than 60 days from the discovery of the breach.
• Breaches impacting fewer than 500 individuals: Notifications to HHS must be issued within 60 days of the end of the calendar year in which the breach was discovered.

Notification to the media

If the breach involves the unsecured PHI of more than 500 residents of a state or jurisdiction, the covered entity must notify a prominent media outlet serving that area. The media notification must be issued without unreasonable delay and within 60 calendar days after the breach is discovered.

Business associate responsibilities

Business associates must notify the covered entity of the breach without unreasonable delay and no later than 60 days from the discovery of the breach. The business associate agreement may provide otherwise.

The value of transparency following a data breach

A clear description of a breach, the types of data compromised, and the risks involved allows those affected to assess their level of vulnerability. The degree of transparency also shows a commitment on the organization's side to be accountable for the incident. A well-structured notification fulfills a legal obligation and serves as a measure to protect the well-being of those whose information has been compromised. 

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What if a company is both a HIPAA business associate and offers personal health record services to the public?

If a company is a HIPAA business associate that also offers personal health record services to the public, it may be subject to both the HHS and FTC Breach Notification Rules.

What constitutes a breach requiring notification?

It requires covered entities to notify patients when their unsecured PHI is impermissibly used or disclosed, or “breached,” in a way that compromises the privacy and security of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised.

What does unsecured PHI mean in the context of the Breach Notification Rule?

Unsecured PHI refers to PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS.