The HIPAA Breach Notification Rule requires healthcare providers to inform patients about data breaches that involve the access, use, or disclosure of unsecured protected health information (PHI).
Keep reading to learn how to deliver this information as efficiently and securely as possible.
HIPAA requirements for reporting data breaches to patients
Upon identifying a breach, covered entities need to conduct a risk assessment to determine if the incident meets the criteria for reporting. To do this, consider the following questions:
- What is the nature and extent of the PHI involved?
- Who accessed or utilized the PHI?
- Was the PHI acquired or viewed?
- Has the risk been mitigated, and to what extent?
If deemed reportable, covered entities must notify all affected individuals “without unreasonable delay and no later than 60 days after discovering the breach.” Notifications may be sent via first-class mail or email, as long as the patient has consented to receive electronic communications. Unnecessarily delaying these updates is considered a violation of the HIPAA Breach Notification Rule.
Notifications to patients should include a brief description of the HIPAA breach, the type of information disclosed, and the steps affected individuals can take to protect themselves. Also, make sure to explain what your organization is doing to investigate the incident, reduce harm, and protect against future breaches.
In addition to notifying individuals, covered entities must inform the Secretary of breaches by filling out a breach report form on the HHS website. If the breach affects 500 or more people within a state or jurisdiction, the incident needs to be reported to prominent media outlets in the area.
Using email to inform patients of a HIPAA breach
Email is faster and more reliable than first-class mail, which makes it an ideal channel for informing patients of a data breach. Since notifications include information on the status and storage of PHI, they should be HIPAA compliant. Using a HIPAA compliant email marketing platform is the best way to quickly communicate thorough information on a breach while keeping patients’ data secure and inaccessible to bad actors.
To be HIPAA compliant, a business associate agreement (BAA) must be in place to hold third-party platforms accountable for safeguarding PHI. Many popular solutions like Hubspot and Mailchimp are unwilling to sign a BAA. Other companies, such as Constant Contact, will state that they sign a BAA. Still, their terms and conditions prohibit the transmission of PHI.
Using HIPAA compliant email marketing for secure notification
Paubox Marketing provides a BAA and encrypts every outbound email—whether it contains PHI or not. Recipients are able to receive emails directly in their inboxes without having to access any separate portals. Paubox Marketing also maximizes deliverability so that emails avoid spam folders, which makes patients more likely to see breach notifications and take any necessary action.
In some cases, a data breach will only impact a specific patient population. Paubox Marketing allows you to seamlessly build segmented audiences based on PHI and personal details. This ensures the efficient delivery of information to the right people.
Under the HIPAA Breach Notification Rule, data security incidents that involve PHI must be reported to all impacted patients within 60 days. By using a HIPAA compliant email marketing platform, covered entities can deliver these critical updates promptly and securely.