Road to HIPAA Compliance: Breach Notification

by KirkpatrickPrice / March 31st, 2016

What is the Breach Notification Rule?

In this session, we discuss the Breach Notification Rule, define what a data breach is, discuss how long you have to report a breach, who to tell, and what to tell them. We also discuss strategies for reducing the risk of a data breach.

Data Breach FAQs

What is a breach? A breach is the acquisition, access, use, or disclosure of unsecured protected health information in a manner not permitted (by rule) which compromises the security or privacy of the protected health information.

Did I have a breach? Not everything is a breach; your organization must determine if you’ve had an incident, a violation of the Privacy Rule that doesn’t constitute a reportable breach, or a legitimate breach.

Who do I tell about a breach? It’s important to know if you had a breach and correctly analyze it because you’ll need to know the nature and scope in order to communicate to the correct parties. Covered entities have three parties that they need to notify of a breach: patients, DHHS, and potentially the media. When you have a breach, you will always need to notify affected patients and DHSS – no exceptions. If over 500 individuals have been affected, your covered entity will need to alert the media.

What do I tell them? In order to properly comply with the Breach Notification Rule, there are several aspects of the breach your organization needs to communicate to the affected parties:

  • What happened
  • What kind of PHI was disclosed in the breach
  • What patients should do to mitigate harm
  • What you’re doing to investigate and mitigate future harm
  • How they can contact you

How long do I have to report a breach? Patients need to be notified within 60 days of discovery, as well as the media if necessary. If less than 500 individuals have been affected, the DHHS should be notified within 60 days of when the breach occurred. If the breach impacts more than 500 individuals, the DHHS should be notified within 60 days of discovery.

What can I do to reduce risk? There are several things your organization can do to reduce risk, including:

  • Establish policies and procedures
  • Thorough, proper training for your employees regarding breach notification
  • Test your policies and procedures and training by performing a mock breach assessment to identify if there are any gaps
  • Implement operational controls
  • Engage third-parties to conduct audits

To learn more about our HIPAA compliance services, contact us today to speak to an expert.