Under the HIPAA Breach Notification Rule, What is Substitute Notice?
If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide HIPAA breach notification by substitute individual notice. Substitute individual notice may be made by the covered entity’s either:
- Posting the notice on the home page of its website for at least 90 days; or
- By providing the notice in major print or broadcast media where the affected individuals likely reside.
The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach.
If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means.
HIPAA breach reporting requires all individual notifications to be provided without unreasonable delay, and in no case later than 60 days following the discovery of a breach, and must include, to the extent possible:
- A brief description of the breach;
- A description of the types of information that were involved in the breach;
- The steps affected individuals should take to protect themselves from potential harm;
- A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and
- Contact information for the covered entity.
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual. This consideration may depend on various circumstances, such as:
- The functions the business associate performs on behalf of the covered entity; and
- Which entity has the relationship with the affected individual.
Are Covered Entities and Business Associates Subject to Additional HIPAA Breach Reporting Requirements?
Yes. In the event of an audit, covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided, or, that a use or disclosure of unsecured protected health information did not constitute a breach.
Therefore, covered entities and business associates are well-advised, with respect to an impermissible use or disclosure, to maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required.
Documentation covered entities should keep, to provide proof that notification was not required, includes the HIPAA Breach Notification Rule risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure.
Covered entities are also required to comply with certain administrative requirements with respect to HIPAA breach reporting. For example, covered entities must:
- Maintain written policies and procedures regarding breach notification;
- Train employees on these policies and procedures; and
- Develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.