When a breach occurs, offices are required to notify the patients whose information may have been compromised in the breach. This is known as the Breach Notification Rule.
Individual Notification
In the event of a breach, you will be required to notify the patients involved within 60 days of discovery or when the breach should have reasonably been discovered. Patients should be notified by first-class mail to their last known address. If the patient has declined to receive notification by first-class mail, the notification can be sent via e-mail. To the extent possible, the notification to your patients should include:
- • Description of the breach
- • What information was involved in the breach
- • Steps patients can take to protect themselves from potential harm resulting in the breach
- • What steps your office is taking to mitigate the breach and prevent future breaches
- • Contact information
There are times where the contact information for the patient is insufficient or out-of-date. If this is the case for 10 or more individuals, then your office has two options. Your office could post the notification on your website home page for 90 days. Alternatively, your office could provide notice in a major print or broadcast media where the patients would reasonably see the notification. The notice must include a toll-free phone number that is active for at least 90 days where patients could learn if their information was affected in the breach.
Business Associate
If a breach occurs at your Business Associate, your Business Associate is required to notify you within 60 days. Ultimately, a breach that occurs at your Business Associate is the responsibility of your office. This is one of the reasons a Business Associate Agreement (BAA) is vital. One of the provisions of a BAA requires that your Business Associate notifies you as soon as a breach occurs. In addition, the BAA can place the responsibility of patient notification on your Business Associate.
When we consider that your office has the opportunity to avoid fines for a HIPAA breach if your office has an up-to-date HIPAA Risk Analysis and remediates the breach within 30 days, this underscores the importance of having a Business Associate Agreement.
500 or More Affected
When a breach affects 500 or more patients, there are additional requirements. Now your office also must provide notice to prominent news sources. Like the individual notification for patients, the media must be notified within 60 days of discovery.
Notification to the Secretary
The Secretary of the Department of Health and Human Services (HHS) must be notified of all breaches by filling out the form on the HHS website (https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html). The timeframe of notifying the secretary depends on if 500 or more patients were affected or not. If there were less than 500 patients affects, your office has until 60 days after the end of the calendar year in which the breach was discovered. If the breach affected 500 or more patients, the Secretary must be notified within 60 days of discovery and the office will be posted on the Wall of Shame.
Burden of Proof
Each step of the breach notification process will need to be documented as your office will have the burden of proof to demonstrate all notifications were made.
Timeline
Ultimately in the case of a breach, there are a couple of things to keep in mind.
- • You have 60 days to notify any individuals involved
- • If the breach affected 500 or more patients, you have 60 days to notify the Secretary and notify a prominent news source.
- • If the breach affected 500 or less patients, you have until 60 days after the calendar year to notify the Secretary
Get Help
Responding to a breach can be a very difficult process, especially if there are more than 500 patients involved. You will want to engage with your insurance carrier to cover the costs associated with responding to the breach, and they will put you in touch with one of their health care attorneys. The cost involved with breach notification can be substantial. This is why, at TLD Systems, we recommend that offices investigate getting cybersecurity insurance policy coverage of at least $1 million that will support you with these notifications and breach remediation.
If you have questions, please contact TLD Systems at info@tldsystems.com or (631) 403 6687.
Read Comments