The Breach Notification Rule establishes protocols for handling and responding to significant data breaches involving protected health information (PHI). When a breach impacts more than 500 individuals, covered entities have to follow reporting obligations that demand immediate action to protect patient privacy and maintain regulatory compliance.
These significant breaches require extensive and time-sensitive notification processes that involve multiple stakeholders.
Notification timeframe
Affected individuals must be notified within 60 days of the breach being discovered. The HHS requires that for breaches impacting 500 or more individuals, covered entities must provide notifications quickly and provide a thorough and detailed account of the breach that includes:
- A detailed breach description
- Types of information involved
- The extent and sensitivity of the information
- Potential consequences
- Steps the company has taken to mitigate the breach
- Steps that individuals can take to protect themselves
- Contact information for the covered entity
If a breach affects 500 or more individuals, covered entities must notify the Secretary immediately, and no later than 60 days following the discovery of the breach.
Covered entities are also required to notify media outlets when a breach affects more than 500 residents of a state or jurisdiction. This notification is in addition to the individual notifications and must:
- Be provided to media outlets serving the specific state or jurisdiction
- Take the form of a press release to appropriate media outlets in the affected area
- Be delivered without unreasonable delay and no later than 60 days following the discovery of the breach
- Include the same information required for individual notices
Notification content
Notifications must detail the nature and scope of the breach. This includes identifying the type of PHI compromised such as names, Social Security numbers, medical record numbers, or treatment details, and explaining how the breach occurred. Individuals should receive guidance on potential risks, such as identity theft or financial fraud, and steps to mitigate these risks, like credit monitoring, fraud alerts, or identity protection services.
The notification must also outline the covered entity's response, including the immediate containment of the breach, the steps taken, such as forensic analysis or internal review, and the implemented safeguards to prevent similar incidents. This might include enhanced security protocols, staff retraining, technology upgrades, or revised data handling procedures that directly address the vulnerabilities exposed by the breach.
Notification methods
When notifying affected individuals, covered entities must use the communication method previously agreed upon by the individual—either standard US mail to their most recent address or email. In situations where contact information is incomplete or no longer current, the organization must provide substitute notification methods that include:
- Posting a prominent notice on their website for at least 90 days
- Providing notice in major print or broadcast media where affected individuals likely reside
The OCR must be informed immediately through the HHS Breach Reporting Portal, with all details of the breach submitted electronically.
In the news
The Anthem Inc. breach in 2015 remains one of the largest healthcare data breaches in history, affecting approximately 78.8 million individuals. The incident resulted in a $16 million settlement with the OCR.
FAQs
What are the differences in notification requirements between breaches affecting fewer than 500 individuals and those affecting 500 or more?
For breaches affecting fewer than 500 individuals, notifications to HHS can be done annually. For breaches affecting 500 or more individuals, notifications to HHS must be immediate, and media outlets must be notified as well.
What additional support can healthcare organizations provide to affected individuals?
Organizations can offer credit monitoring services, identity theft protection, and provide resources or hotlines for affected individuals to get more information and assistance.
Are there any tools available to help organizations comply with HIPAA breach notification requirements?
Yes, there are several tools, such as the HHS Breach Reporting Portal.
