What is the Health Breach Notification Rule?

The Health Breach Notification Rule was enacted as part of the HITECH Act in 2009. The rule was a response to the increasing digitization of medical records, growing cyber threats, and the need for stronger privacy protection. The rule aims to establish stringent regulations for safeguarding personal health information, promoting transparency and trust between patients, healthcare professionals, and technology vendors.

Why is the Health Breach Notification Rule important?

The Health Breach Notification Rule protects individuals' privacy and secures health information in an era of increasing cyber threats. It fosters trust in the healthcare system and encourages individuals to take appropriate steps in case of a breach, ensuring that healthcare professionals and technology vendors are held accountable.

Who must comply with the Health Breach Notification Rule?

The Health Breach Notification Rule applies to health information vendors, personal health record (PHR) service providers, and their third-party service providers. 

• Health information vendors include any person or entity that provides services for, or on behalf of, a covered entity and involves the disclosure of individually identifiable health information. 
• PHR service providers are entities that offer individuals access to their own personal health information.

It is distinct from the HIPAA Breach Notification Rule, which applies to covered entities and their business associates. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates are entities that perform functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of a covered entity.

While there is some overlap between health information vendors and business associates, the main difference lies in the nature of the services provided. Health information vendors are specifically involved in the creation, management, or exchange of health information, while business associates may provide a broader range of services that may or may not be directly related to health information.

Related: HIPAA Compliant Email: The Definitive Guide

What constitutes a breach under the Health Breach Notification Rule?

A breach is the unauthorized acquisition, access, use, or disclosure of unsecured, personally identifiable health information. Unsecured health information refers to data not protected through methods specified by the Secretary of Health and Human Services (HHS), such as encryption. The incident must pose a risk of financial, reputational, or other harm to the individual to be considered a breach.

What must be done in case of a breach?

In the event of a breach, affected individuals must be notified without unreasonable delay and within 60 calendar days of discovering the breach. The notification should include a description of the breach, the types of information involved, steps affected individuals can take to protect themselves, contact information for the organization responsible, and information about the organization's response to the breach.

• If the breach affects 500 or more individuals, the organization must notify the Federal Trade Commission (FTC) within 10 days. 
• If the breach affects fewer than 500 individuals, report them to the FTC annually within the first 60 days of each year.

To ensure compliance with the Health Breach Notification Rule, healthcare professionals and technology vendors should take the following steps:

• Develop a breach response plan, including procedures for internal reporting, investigation, and notification. Designate a responsible party within your organization to handle breach response and reporting.
• Train employees on identifying, reporting, and responding to potential breaches. Conduct regular training sessions to ensure staff are up-to-date on the latest threats and best practices.
• Regularly review and update security measures to protect personal health information. Implement encryption, access controls, and other safeguards to secure health information.
• Maintain a log of breaches affecting fewer than 500 individuals and report them to the FTC annually.

What are the penalties for non-compliance?

Non-compliance with the Health Breach Notification Rule may result in legal and financial penalties, including civil monetary penalties and potential liability under state laws. Non-compliance can also impact the organization's reputation, leading to lost business and diminished trust from patients and partners.

Related: BetterHelp fined $7.8M and banned from sharing sensitive data

What is the difference between HIPAA's Breach Notification Rule and the FTC's Health Breach Notification Rule?

The HIPAA Breach Notification Rule and the Health Breach Notification Rule are separate regulations that apply to different entities and types of information.

HIPAA Breach Notification Rule:

• Applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates.
• Focuses on breaches of protected health information (PHI).
• Notification to affected individuals must occur without unreasonable delay and no later than 60 calendar days after discovering the breach.
• Notification to the Secretary of Health and Human Services is required in addition to affected individuals and the media
• Notification requirements are the same regardless of the number of affected individuals.

Health Breach Notification Rule:

• Applies to health information vendors, personal health record (PHR) service providers, and their third-party service providers
• Covers breaches of unsecured, personally identifiable health information.
• Notification must occur within 60 calendar days of discovering the breach.
• Notification to the Federal Trade Commission (FTC) and prominent media outlets is required if the breach affects 500 or more individuals.
• Organizations must log breaches affecting fewer than 500 individuals and report them to the FTC annually.

Why the Health Breach Notification Rule matters

Healthcare professionals, technology vendors, and healthcare SaaS providers must understand their obligations under the rule and take proactive steps to ensure compliance. Develop a breach response plan, train employees, implement security measures, and maintain accurate records, to minimize the risk of breaches and the potential legal and financial penalties that come with non-compliance. 

Understanding the differences between the Health Breach Notification Rule and the HIPAA Breach Notification Rule can help organizations ensure that they are compliant with both regulations and are adequately protecting individuals' health information.