Understanding HITECH Breach Notification Requirements
The need for maintaining the confidentiality and security of the information we protect is vital to the organizations and patients that we serve. Considering that a breach can dramatically affect the patient’s privacy and an organization’s reputation, a good understanding of the HITECH Act Breach Notification Requirements is absolutely required.
The Health Information Technology for Economic and Clinical Health (HITECH) Act changed the HIPAA requirements for notifications after a breach. HITECH added a requirement to that covered entities must give notice to patients and HHS if they discover that “unsecured” PHI has been breached. Remember that a “breach” is defined as the “acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual.”
If your organization finds that there has been a disclosure of PHI, then there are some steps that you should take to determine if a notice is required.
Step 1 – Conduct a Risk Assessment
The first step if you suspect a breach has occurred is to conduct a risk assessment. The risk assessment considers the following four factors to determine if PHI has been compromised:
- The nature and extent of PHI involved. For example, does the PHI provide patient names or other information that would enable an unauthorized user to determine the patient’s identity?
- To whom the PHI may have been disclosed. The unauthorized person who accessed the protected health information or to whom the disclosure was made.
- Was the information accessed? – It is also critical to see if the data was inappropriately accessed. For example, if an email was sent, was it opened and viewed by an unauthorized party?
- The extent to which the risk to the PHI has been mitigated. For example, were there corrective steps already taken to reduce further disclosure, use of the information?
If the completed risk assessment shows that there is a good likelihood that the PHI has been compromised, breach notification is required — if the PHI was unsecured. PHI is “unsecured” if it is not encrypted to government standards.
However, if you lose PHI that has been encrypted to government standards, there is no breach. Therefore, securing PHI with encryption that meets government standards can dramatically reduce the number of events that are considered breaches.
Step 2: Determine when notice should be sent
If notice is required, you must notify any patient affected by a breach without unreasonable delay, meaning within 60 days (or the limit specified by state law) of discovery. A breach is “discovered” on the first day that you know (or reasonably should have been known) of the breach.
Step 3: Notify Patients
Your organization must provide written notice to the patient at the patient’s last known address by first-class mail or by email if the patients have indicated that this is the preferred manner of contact.
Step 4: Notify HHS
For breaches affecting fewer than 500 patients, you must keep a log of those breaches during the year and then provide notice to HHS of all breaches during the calendar year, within 60 days after that year ends.
For breaches affecting 500 patients or more, there are more complicated requirements which include immediate notice to HHS by completing an electronic notification form through the HHS site and sending notifications to major media outlets in the area for publication purposes.
In the case where a healthcare facility does not know how many individuals were potentially affected by a data breach, HHS requires the organization to estimate.
Intrinium can help develop Risk Assessments and Breach Notification Policies and Procedures, such as a Breach Notification Letter Template, Incident Logs, etc.