The Breach Notification Rule establishes protocols for handling and responding to significant data breaches involving protected health information (PHI). When a breach impacts more than 500 individuals, covered entities have to follow reporting obligations that demand immediate action to protect patient privacy and maintain regulatory compliance.
These significant breaches require extensive and time-sensitive notification processes that involve multiple stakeholders.
Affected individuals must be notified within 60 days of the breach being discovered. The HHS requires that for breaches impacting 500 or more individuals, covered entities must provide notifications quickly and provide a thorough and detailed account of the breach that includes:
If a breach affects 500 or more individuals, covered entities must notify the Secretary immediately, and no later than 60 days following the discovery of the breach.
Covered entities are also required to notify media outlets when a breach affects more than 500 residents of a state or jurisdiction. This notification is in addition to the individual notifications and must:
Notifications must detail the nature and scope of the breach. This includes identifying the type of PHI compromised such as names, Social Security numbers, medical record numbers, or treatment details, and explaining how the breach occurred. Individuals should receive guidance on potential risks, such as identity theft or financial fraud, and steps to mitigate these risks, like credit monitoring, fraud alerts, or identity protection services.
The notification must also outline the covered entity's response, including the immediate containment of the breach, the steps taken, such as forensic analysis or internal review, and the implemented safeguards to prevent similar incidents. This might include enhanced security protocols, staff retraining, technology upgrades, or revised data handling procedures that directly address the vulnerabilities exposed by the breach.
When notifying affected individuals, covered entities must use the communication method previously agreed upon by the individual—either standard US mail to their most recent address or email. In situations where contact information is incomplete or no longer current, the organization must provide substitute notification methods that include:
The OCR must be informed immediately through the HHS Breach Reporting Portal, with all details of the breach submitted electronically.
The Anthem Inc. breach in 2015 remains one of the largest healthcare data breaches in history, affecting approximately 78.8 million individuals. The incident resulted in a $16 million settlement with the OCR.
For breaches affecting fewer than 500 individuals, notifications to HHS can be done annually. For breaches affecting 500 or more individuals, notifications to HHS must be immediate, and media outlets must be notified as well.
Organizations can offer credit monitoring services, identity theft protection, and provide resources or hotlines for affected individuals to get more information and assistance.
Yes, there are several tools, such as the HHS Breach Reporting Portal.