Who should notify patients when a data breach happens?

A covered entity should notify patients directly when a data breach involves their PHI.

Who is responsible for informing patients?

According to the HHS, “Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information.”

The Breach Notification Rule defines a breach as an unauthorized acquisition, access, use, or disclosure of protected health information (PHI). The rule places the responsibility to notify patients on both covered entities while business associates are responsible for notifying covered entities when a breach occurs within their organization. 

Does the responsibility differ between healthcare organizations and business associates?

There is a difference between the responsibility placed upon covered entities and business associates although both have a role in the breach notification process. Covered entities, including healthcare providers, health plans, and healthcare clearinghouses, are primarily responsible for notifying affected individuals when a breach occurs. This includes informing patients directly, describing the information breached, and the steps taken to protect themselves. 

Business associates are not directly responsible for notifying patients they must inform the covered entity that a breach has occurred. The covered entity must then take the necessary steps to notify individuals of the compromised data. 

The steps for notification

Covered entities

Detect and assess

• The first step is to identify and assess whether a breach of unsecured PHI occurred.

Investigate

• Next comes the thorough investigation to understand the nature and scope of the breach. 

Notify affected individuals

• If the breach is confirmed, the covered entity must notify the affected individuals through secure means like HIPAA compliant email. The notification must be sent without unreasonable delay and no later than 60 days after discovering the breach. This includes details like the type of breach, types of information involved, and the actions the person should take. 

Notify the Secretary of Health and Human Services

• For breaches involving 500 or more individuals, the covered entity must notify the Secretary of Health and Human Services (HHS) without unreasonable delay and no later than 60 days after the breach is discovered. 
• If the breach is fewer than 500 individuals the covered entity must maintain a log of the breach to submit to the HHS annually. 

Notify the media

• For breaches affecting 500 or more, the covered entity must notify prominent media outlets serving the area where the affected individuals reside. 
  
  

Business associates

Detect and assess

• Business associates must identify and evaluate any breaches of unsecured PHI. 

Notify the covered entities

• Upon discovery, the business associate must notify the covered entity as soon as possible, no later than 60 days after the breach is discovered. The notification should provide detailed information about the breach. 

Assist in notifications

• Although the business associate does not directly notify affected individuals, they may be required to assist the covered entity in managing the breach. 

Documentation

• They must document the breach and their response. 
  
  

FAQs

What is HIPAA?

The Health Insurance Portability and Accountability Act is designed to protect the privacy and security of individuals. 

What is a business associate?

A person or company that performs services or functions for a covered entity and handles PHI.  

What happens if an organization doesn't notify patients?

If an organization fails to notify patients of a breach, it can face legal penalties, fines, and damages.