What is a Breach Notification?

HIPAA was passed in 1996. However, it was not until 2006 that the Department of Health and Human Services (HHS) created the HIPAA Enforcement Rule. The Enforcement Rule authorized the Office for Civil Rights (OCR) to fine non-compliant entities. In 2009, HHS added an additional enforcement rule. Under this rule, the breach notification rule, covered entities and business associates are required to notify individuals and HHS of a breach of unsecured protected health information. What is a breach notification depends on whom the covered entity is required to inform. This, in turn, depends upon the size of the breach. The subject of what is a breach notification is discussed below.

What is a Breach Notification: The Notice Requirements

The HIPAA breach notification rule requires covered entities, following the discovery of a breach of unsecured PHI, to notify each person whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.

The notification must be in writing, and must be provided without unreasonable delay. The notice must be provided within 60 calendar days after the discovery of a breach.

The key item to focus on when addressing the question of what is a breach notification, is, what kind and level of detail must a breach notification include? The HIPAA breach notification rule requires that a breach notification include five components:

1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. If a covered entity does not know the date of discovery, and cannot give a reasonable estimate, the covered entity should indicate that it does not know the date of discovery, instead of “guessing” a date.
2. A description of the types of unsecured protected health information involved in the breach. PHI consists of 18 unique identifiers, which include, among others, date of birth, diagnosis, bank account number, and Social Security number. The notice must list each type of PHI that was exposed by the breach.
3. Any steps individuals should take to protect themselves from potential harm resulting from the breach. The Federal Trade Commission (FTC) provides suggestions as to how to word this component:
   • If the breach puts people at risk for identity theft or other possible harm, then, according to the FTC, the advice as to steps to take must be relevant to the kind of information that was compromised. Covered entities should consider referring people to the FTC’s identity theft website, www.ftc.gov/idtheft. This resource allows individuals to report and recover from identity theft.
   • If the breach involves health insurance information, the covered entity might suggest that individuals contact their healthcare providers if bills don’t arrive on time, in case an identity thief has changed the billing address. The FTC also advises, in cases where the breach involves health insurance information, that individuals pay attention to the Explanation of Benefit forms from their insurance company to check for irregularities. If an individual discovers an irregularity or error, the individual should contact their health plan to notify the plan of possible medical identity theft or to ask for a new account number.
   • If the breach includes Social Security numbers, the covered entity might suggest that individuals obtain a free copy of their credit report from www.annualcreditreport.com. The covered entity might suggest that individuals monitor the credit report for signs of identity theft, and that individuals place a fraud alert on their credit report. If individuals spot suspicious activity on their credit card accounts, they should contact the local police, and, if appropriate, obtain a credit freeze from their credit card issuers.
   • If the breach includes financial information, such as a credit card or bank account number, the covered entity might suggest that individuals monitor credit card and bank accounts for suspicious activity. Covered entities might also suggest that individuals should contact their financial institutions about closing any accounts that may have been compromised.
4. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches. Here, the covered entity should describe what steps it has taken, or will soon take, to protect individuals’ PHI from further harm or similar circumstances. Such steps may include the covered entity’s having:
   • Initiated a forensics security investigation;
   • Filed a police report on [list date[;
   • Initiated a criminal investigation;
   • Disciplined employees/providers by suspension/termination of employment/staff privileges;
   • Addressed technology updates or changes triggered by the incident to improve confidentiality, such as strengthening technology safeguards or administrative policies and procedures.
5. Contact procedures for individuals to ask questions or learn additional information. Contact information must include toll-free telephone numbers, email addresses, websites, and/or postal addresses.

What is a Breach Notification: Special Provision for Larger Breaches

For a breach of unsecured protected health information involving more than 500 residents of a state, a covered entity must notify prominent media outlets serving the state. Covered entities typically provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. The content of the notice to the media must include the same information that the content for an individual notice contains.  

What is a Breach Notification: Notification to the HHS Secretary

In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the HHS Secretary of breaches of unsecured protected health information. Covered entities must notify the Secretary by visiting the HHS website and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.