There's Been a Breach of Protected Health Information (PHI) – Now What?

There’s Been a Breach of Protected Health Information (PHI) – Now What?

May 4, 2017
Publications

By Julia Coelho
PaPS General Counsel

As a health law attorney, one of the subject areas I am frequently asked about is compliance with the Health Insurance Portability and Accountability Act of 1966, as amended (“HIPAA”). Whether you are an independent provider, a member of a physician group, or employed by a large healthcare system, you invariably have had to become familiar with HIPAA and its implementing regulations, which are in place to ensure the confidentiality and security of a patient’s PHI and prevent breaches of unsecured PHI. While the goal of healthcare providers, who often expend significant time and resources to achieve compliance with HIPAA, is to ensure that a breach of PHI will never occur, in today’s day and age with the threats posed by the widespread use of social media, use of portable devices, and increasing vulnerability to cyber-attacks, chances are that providers will have to deal with a breach of PHI at some point in their professional careers. That brings me to the subject matter of this article. Let’s say your practice is a “Covered Entity[1]” under the HIPAA Privacy Rule and has determined that a breach of PHI involving multiple patients has occurred[2], what is it required to do next?

The Omnibus Rule requires that, without unreasonable delay, but no later than 60 calendar days after the Covered Entity’s discovery of the breach, it must notify the affected individuals by first class mail or by email if the individual has consented to receive notifications by email, and the consent has not been revoked[3]. Note that the meter on the 60 day deadline for notifications starts to run on the earlier of the date of the actual discovery of the breach, or the date when the Covered Entity would have known of the breach “if exercising reasonable diligence.”[4] Therefore, providers should be aware that notification within 60 days of discovery might not satisfy the HIPAA breach notice requirement if the circumstances demonstrate that the provider overlooked the breach and the breach could have been discovered sooner if reasonable safeguards around patient privacy and security had been in place.

In addition to notifying the affected individuals, the Covered Entity must follow additional notification procedures depending on the number of individuals affected by the breach. For breaches involving 500 or more individuals within a state or jurisdiction, the Covered Entity must also (1) notify the Department of Health and Human Services (“HHS”) when it notifies the affected individuals of the breach in the manner specified on the HHS website,[5] and (2) without unreasonable delay, and in no event more than 60 days following discovery of the breach, notify the prominent media outlets serving the state or jurisdiction. For breaches involving fewer than 500 individuals, the provider is not required to notify the media, but it must still notify HHS of the breach; although, this can be done on an annual basis, within 60 days after the end of the calendar year in which the breach was discovered.

[1] Under the Privacy Rule, the definition of “Covered Entity” includes healthcare providers who transmit health information in electronic form in connection with transactions covered by the Privacy Rule (e.g., healthcare providers who, directly or through a billing company, submit claims for payment to an insurance company over the internet).

[2] Evaluating whether or not a breach has occurred requires the application of defined terms and a thorough analysis of at least four factors outlined in the Omnibus Rule, 78 Fed. Reg. 5565 (Jan. 25, 2013). A discussion of the definition of “breach” and the standard for determining whether or not a “breach” of PHI has occurred is outside the scope of this Article.

[3] 45 C.F.R.§161.404.

[4] 45 C.F.R §161.404(a), (b).

[5] See, https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true (accessed March 31, 2017).