Organizations considered “ covered entities” and their business associates as defined under the Health Information Portability and Accountability Act ( HIPAA) have been required to provide public notification following a breach of “ protected health information” (known by the acronym PHI) for nearly a decade. But as we reported in a recent post, some small healthcare providers and companies that conduct regular business with them may misunderstand their regulatory obligations and/or believe compliance is optional based on their size or the nature of their operations.
Confusion regarding HIPAA’s breach notification rules represents financial risk for covered entities and their associates as fines and penalties may be issued for violations. And if misperceptions lead to failure to comply with regulations, patients and customers are at risk, too, as they may lose the opportunity to protect themselves from invasion of privacy and identity theft.
So, when we saw a recent overview of HIPAA breach notification processes published by HealthData Management magazine, we wanted to share a digest with readers as part of our regular coverage of IT issues for healthcare organizations. Here are seven critical processes covered entities and their business associates must follow:
- Determine whether you experienced a breach -- Under the HIPAA Privacy Rule, a breach is an impermissible use or disclosure of PHI. The department of Health and Human Services (HHS) provides details here. A good rule of thumb: If you have any doubts, assume you have been breached and proceed with step 2.
- Conduct a risk assessment -- When suspecting a breach, assessing risk includes investigating the nature and extent of PHI involved, including the “types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and, the extent to which the risk to the PHI has been mitigated” if at all.
- Evaluate permissible notification exceptions -- HHS recognizes three exceptions to the definition of a breach. Again, HHS provides details on its website. But in short, the three exceptions involve: 1) unintentional acquisition, access or use of PHI by a member of your workforce acting in good faith; 2) inadvertent disclosure of PHI by an authorized person, and 3) impermissible disclosure to unauthorized person who would not be able to retain the information.
- Report only breaches of usable information -- HHS recognizes that protection measures can encrypt and destroy breached data, rendering the information useless because unauthorized individuals cannot read or decipher the records. Losses of unusable need not be reported.
- Give notice within acceptable timeframes -- Covered entities must issue a notice to affect individuals no more than 60 days after discovering a breach. Notices to HHS also have a 60-day window for breaches affecting 500 or more individuals. Organizations may notify HHS of breaches affecting fewer than 500 individuals on an annual basis no more than 60 days after the end of the calendar year. Business associates must notify covered entities no later than 60 days after detecting a breach of PHI they handle.
- Show proof of notice -- Covered entities and business associates bear the burden of proving notification did or did not happen under the rules.
- Document policies and procedures -- Covered entities and business associates must develop written policies and procedures for breach notification, train employees on these policies and procedures and police their own staff for compliance.
Need help complying with these rules? Many IT Managed Services Providers (MSPs) have experience helping healthcare clients and their business associates cope with HIPAA regulations.