The HIPAA Breach Notification Rule (2009) makes it mandatory for healthcare providers to report all data breaches of unsecured protected health information (PHI). Since HIPAA’s enactment in 1996, the U.S. Department of Health and Human Services ( HHS) has established various additions and amendments to ensure stronger protections and responsibilities.
RELATED: HIPAA stands for . . .
Understanding HIPAA is essential for covered entities and their business associates as they balance HIPAA compliance with patient care and PHI security. So what does the Breach Notification Rule add to HIPAA and why is such a rule necessary?
A HIPAA summary
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients.
RELATED: What is HIPAA? Or is it HIPPA?
HHS’ Office for Civil Rights ( OCR) regulates and enforces the act, which consists of five sections (or titles). Most referenced is Title II as it sets the policies and procedures for safeguarding PHI, whether in paper or electronic ( ePHI) form. Included are several later rules:
- Privacy Rule (2003): covers the protection of PHI as well as compliance standards
- Security Rule (2005): sets required security standards to protect ePHI
- Enforcement Rule (2006): sets the rules for enforcing HIPAA and penalizing uncompliant organizations
- HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
- Breach Notification Rule (2009): sets the procedures for reporting breaches
- Omnibus Final Rule (2013): incorporates HITECH further by improving privacy protections
What is a data breach?
HHS defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of [PHI].” The Breach Notification Rule states that healthcare providers must report all breaches that involve unsecured PHI. Accessed or stolen unsecured data is usable, readable, or decipherable. A breach is presumed to have released unsecured data unless an organization can demonstrate a low probability of compromise based on a risk assessment. Organizations must conduct a risk assessment to determine what PHI was involved, who accessed it, the extent of the breach, and the manner of risk. According to HHS, there are three exceptions when reporting is not necessary:
- The unintentional access of PHI was made in good faith and within the scope of authority
- The inadvertent disclosure of PHI was shared from one authorized person to another
- The good faith belief that an unauthorized person would not retain the information
Ultimately, the risk assessment and the type of data exposed will tell the healthcare provider its next steps under the Breach Notification Rule.
The HIPAA Breach Notification Rule
Once an organization discovers a breach, it is necessary to take immediate action by containing the breach and performing a risk assessment. Then, depending on the assessment results, the healthcare provider will more than likely need to notify HHS, affected individuals, and the media. And if a business associate experienced a breach, it must notify the covered entity. An organization must first notify HHS through its breach notification website. Breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation). Fewer than 500 mean logging the incident within 60 days of year’s end. Breaches affecting more than 500 individuals end up on OCR’s Breach Notification Portal.
RELATED: What is HHS’ Wall of Shame?
Second, the organization sends a breach notification letter to all affected individuals that includes:
- Breach description and when it occurred
- PHI involved
- Steps to mitigate the breach
- How victims can protect themselves
- How to communicate with the healthcare provider
If there is no contact information for 10 or more individuals, a substitute breach notice should be posted on a website and displayed for 90 consecutive days. Lastly, the provider should share what happened with local media to ensure uncontactable, affected individuals are notified.
Don’t let this happen to you
But there is a way to avoid the hassle and embarrassment of an unsecured breach. Stop breaches and secure patient PHI by utilizing a strong, layered cybersecurity program as indicated in HIPAA. So, what does strong cybersecurity include? All “required” and some “addressable” administrative, physical, and technical safeguards explored in the Security Rule. This means requiring employee awareness training along with solid access controls (i.e., privileged access management) as well as strong policies/procedures that address breach response, data disposal, and offline backups (including separate storage for decryption keys). And finally, robust email security to block the most used threat vector (or access point): email.
Paubox Email Suite for strong email security
HIPAA compliant email is the fastest, easiest way to communicate with patients and other providers while ensuring data remains inaccessible even after a breach.
Paubox guarantees strong email security with Paubox Email Suite. Our HITRUST CSF certified solution guarantees that all outgoing emails are encrypted, sent directly from existing email platforms (such as Microsoft 365 and Google Workspace). No need to use patient portals or third-party apps to communicate. Paubox Email Suite assures the safe transmission of ePHI via email because our patented software seamlessly encrypts all outgoing messages with blanket TLS 1.3 encryption. We also recently added a patent-pending Zero Trust Email feature for our Plus and Premium customers, which adds an AI-powered proof of legitimacy to all inbound emails before they are delivered. Unfortunately, data breaches are inevitable, but a proactive organization with a plan in place can mitigate risks, HIPAA violations, and OCR fines before they occur. Ensure you and your employees know the intricacies of HIPAA today and keep your patients’ information confidential.