Patient Notification in Breach Notification Letters
Prior to 2009, many breaches of unsecured PHI went unreported, both to the media and to breach victims. Individuals whose personal data or PHI had been compromised, often only discovered the breach after their credit had been damaged, or their identity had been stolen. In 2009, the Department of Health and Human Services (HHS) issued the HIPAA Breach Notification Rule. This regulation requires covered entities to notify “affected individuals” of a breach of their unsecured PHI or electronic protected health information (ePHI) by letter.
An “affected individual” is someone whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of a breach. This lawyer-speak definition acts as a hedge: When a HIPAA-covered entity sustains a breach, it may not know precisely how many (or which) patients’ information was compromised. The provider must often undertake a forensic investigation to discover precisely what happened and who was affected as part of the breach. The full details of breaches that involve phishing, ransomware attacks, or other cyberattacks, may only come to light after forensic examination, in some cases taking weeks or even months. Therefore, the law requires that HIPAA-covered entities inform anyone whom they have reason to believe was the victim of a data breach, of that breach.
In its breach notification rule, HHS set a prompt deadline for delivery of the breach notification letter. Covered entities must provide the letter without unreasonable delay, and, in no case later than 60 calendar days after the breach is discovered. The letter must be provided by first-class mail to affected individuals at their last known addresses.
HHS views providing notification as part of a patient’s rights. An affected individual has a right to be informed of breaches of unsecured protected health information so the individual can take steps if appropriate to protect themselves from the consequences. Failure to provide the breach notification letter itself can subject an organization to HIPAA fines.