Welcome to the second post in our three-part HIPAA Breach series! In the first post, HIPAA Breach Primer: Part 1—The Risk Assessment, we provided an overview of HIPAA requirements and how to conduct a Risk Assessment to determine the risk that a HIPAA violation occurred. To recap, there are generally three initial steps a practice takes in the face of a potential HIPAA breach. First, performing a risk assessment to determine whether a breach, in fact, occurred. Second, if the risk assessment reveals a probability that personal health information (PHI) was likely compromised, then the patients involved must be notified. Third, the breach must be reported to HHS’s Office of Civil Rights (OCR).
This post explores the second step—notifying patients. Future posts will discuss the third step required if the risk assessment reveals a breach occurred. Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach. If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, email@example.com. You may also learn more about our law firm by visiting www.hamillittle.com.
Timing of Notice
If the Risk Assessment revealed that a HIPAA breach likely occurred, the next step is to think about what notice is required of the likely breach. The Covered Entity (or, in some cases, Business Associate) must provide notice to affected patients without unreasonable delay and in no case later than sixty calendar days after the discovery of the breach.
Form of Notice
Patient notice must be in written form by first-class mail. Email may be used if the patient has agreed to such electronic notices. In addition to what is required, we generally find it useful to provide a two-stage notice to impacted individuals by calling them before sending the required letter.
If the contact information for ten or more patients is out of date, the Covered Entity has to provide what is called “substitute notice” by posting the notice on the entity’s website for ninety days or in major print or broadcast where the patient(s) likely live. If the Covered Entity has out-of-date contact information for less than ten patients, the entity can use a different method of substitute notice such as calling the patient.
In addition to the above individual notice, when breaches affect more than 500 residents of a state or jurisdiction, the Covered Entity must also provide notice through a media outlet in that jurisdiction, such as a press release.
Substance of Notice
In general terms, notice to patients, both via phone and letter, should convey in simple terms what happened, including the type of information and identifiers accessed, acquired, used, or disclosed; a description of the investigation done to discover and determine the extent of the breach; and the type of mitigation done to limit the resulting harm and prevent it from occurring in the future. The list of “Actions Taken in Response to Breach” on HHS’ breach reporting form (pages 8-9) is a useful resource to get ideas for steps to mitigate harm and correct vulnerabilities.
In addition, it can go a long way to convey an apology for the breach and offer to help the patient mitigate any additional damage that may result from the breach. Because a major concern with HIPAA breaches is identity theft, it can be useful, if not required, to provide resources on identity theft protection. The Federal Trade Commission has useful identity protection information on IdentityTheft.gov and many states offer additional guidance.
It is also useful to listen to the patients’ expectations for resolving the situation and welcoming any feedback.
It is important to document each notice provided in an Incident Database or a Breach Notification Log. For each individual notified, document: (1) the date of the conversation, (2) a brief summary of the call, and (3) the name of the person who was notified.
Stay tuned for part 3 of our series, all about reporting breaches to the U.S. Department of Health and Human Services. If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, firstname.lastname@example.org. You may also learn more about our law firm by visiting www.hamillittle.com.
*Disclaimer: Thoughts shared here do not constitute legal advice.