The HIPAA Breach Notification Rule: Requirements and Compliance Strategies

The HIPAA Breach Notification Rule requires healthcare organizations and their business associates to notify affected individuals, the Department of Health and Human Services (HHS) Secretary, and in some cases the media, when there is an unauthorized acquisition of protected health information (PHI). Healthcare organizations must develop clear policies and procedures that enable them to make the required notifications within the designated timeframes if a breach occurs. Notification procedures should be included in HIPAA compliance training. Noncompliance can result in costly regulatory penalties.

This article will break down the requirements of an individual notice, notice to the HHS Secretary, and a media notice.  

Individual Notice

Organizations must notify individuals affected by a breach within 60 days of its discovery. Written notifications should be sent via first-class mail to the individual’s last known address. Email notices are acceptable if the individual has consented to receiving email communication from your organization. If contact information is outdated for ten or more people, a substitute notice must be provided via website posting or media announcement.

All notices to affected individuals must include the following information:

• A description of the breach
• The types of PHI involved
• The steps individuals should take to protect themselves
• The measures the organization is taking to investigate and mitigate harm
• Contact information for further questions

Here are some ways healthcare organizations can prepare to meet the individual notice requirements.

• Create and maintain a Breach Notification Policy that clearly lays out reporting timelines, roles, and escalation procedures.
• Draft a notification letter template and get it approved by legal and compliance departments.
• Maintain accurate contact information to ensure mailing and email addresses are correct.

Notice to the Secretary

Healthcare organizations must notify the HHS Secretary of breaches. If the breach affects 500 or more people, the impacted organization must notify the Secretary within 60 days of discovery. For breaches affecting fewer than 500 individuals, organizations must maintain a log of such breaches and submit them to the Secretary no later than 60 days after the end of the calendar year.

Organizations can submit their notifications using the online breach reporting portal provided by HHS.

Media Notice

If a breach affects 500 or more residents of a single state or jurisdiction, organizations must notify prominent media outlets within 60 days of discovery. Jurisdiction refers to a geographic area served by a specific media outlet. The information provided to the media should mirror the individual notice.

Here are some actions organizations can take to effectively communicate with the media and protect their reputation:

• Designate a spokesperson to handle media communications. This person will likely come from the compliance, legal, or public relations departments.
• Draft a media notification template that includes all the content required by the Breach Notification Rule to use as a press release. Compliance, legal, and PR departments should collaborate on this. The compliance and legal departments need to verify the notice meets the requirements, while the PR department refines the message to protect the organization’s reputation.
• Maintain a list of email addresses for the prominent media outlets in the states or jurisdictions in which the organization operates.
• Compile a list of appropriate wire services (Business Wire, PR Newswire, etc.) if the organization chooses to put out a press release on a larger scale.

Ensure your legal department or counsel reviews the final draft of the notification before sending it to media organizations or wire services.

All notifications must be documented and retained for at least six years.

CompliancePoint has a team dedicated to helping healthcare organizations comply with all aspects of HIPAA. Contact us at connect@compliancepoint.com to learn more about our services.