The Breach Notification Rule requires that covered entities follow an outlined process when protected health information (PHI) is inappropriately used or disclosed. In cases where less than 500 individuals are affected, organizations must still take the necessary steps to report the breach and notify relevant parties, because this demonstrates their commitment to protecting sensitive medical data and remaining HIPAA compliant.
Unlike breaches that affect a large group of individuals, these smaller scale breaches have a different reporting timeframe and notification method.
Notification timeframe
Affected individuals must be notified without unreasonable delay, but no later than 60 days after the discovery of the breach.
According to the HHS, “If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.) The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form“.
Notification content
Notifications should include a description of the breach, the types of information involved, steps individuals can take to protect themselves, and what the covered entity is doing to investigate and prevent further damage from the breach.
Notification methods
A written notice must be provided to the individual via US mail to their last known address, or through an email, depending on the communication method that the individual has agreed to. If there is no contact information available or if it is out of date, a substitute notice may be provided by the covered entity posting a notice of the breach on their website.
The OCR must also be informed no later than 60 days after the end of the year that the breach occurred in, this notice should be provided by filling out a breach report form.
In the news
The Hospice of Nothern Idaho was the first-of-its-kind HIPAA settlement involving less than 500 individuals. These came as a result of a company laptop containing PHI that was stolen in 2010, leading to a fine of $50,000 from the OCR.
FAQs
What information should be included in a breach notification to individuals?
A breach notification should include a description of the breach, the type of information involved, potential consequences, and steps individuals can take to protect themselves.
How should healthcare organizations notify HHS of a breach?
Healthcare organizations should use the HHS Breach Reporting Portal to report breaches.
What are the consequences of failing to meet HIPAA breach notification requirements?
Consequences can include fines, legal penalties, and damage to the organization's reputation.
