Call:  (407) 331-6620 or (850) 439-1001
Toll-free:  (888) 331-6620

Reporting Requirements for Health Information Breach

Healthcare providers and facilitiesBy Michael L. Smith, R.R.T., J.D.

(June 5, 2013) – All health care providers know that the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to report the breach of unsecured protected health information. Most health care providers do not know exactly how to report the breach of unsecured protected health information. The actual breach notification requirements vary slightly based upon the number of patient records involved in the breach and whether the covered entity has current contact information for those patients.

Unsecured protected health information is any health information that is not encrypted. Paper records are always unsecured, but electronic records may be unsecured or encrypted. A breach is an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. There is always a breach of unsecured protected health information when paper records or unencrypted electronic records are lost.

Every covered entity must notify each affected individual (patient) following the discovery of a breach of unsecured protected health regardless of the number of patients involved. The notifications to the affected individuals must be provided without unreasonable delay and in no case later than 60 days following the discovery of the breach. The notice to the patients must include a description of the breach, a description of the types of information that were included in the breach, the steps the patients should take to protect themselves from potential harm, a description of what the covered entity is doing to investigate the breach, mitigate the harm to the patients, and to prevent further breaches, as well as contact information for the covered entity. Most covered entities are also purchasing identity theft protection services for the patients affected by a breach.

The individual notice to patients must be provided in writing by first-class mail, or alternately by e-mail if the patient has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more affected individuals, the covered entity must also provide substitute individual notice by either posting the notice on the home page of its web site, or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means. Any substitute notice provided via web posting or major print or broadcast media must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.

Every breach of protected health information must also be reported to the Secretary of the Department of Health and Human Services (HHS). The timing of the report to the Secretary of HHS varies depending on the number of patients affected by the breach. If a breach affects 500 or more individuals, the covered entity must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, the breach affects fewer than 500 individuals, the covered entity may notify the Secretary of the breach on an annual basis. The covered entity must report a breach affecting fewer than 500 individuals no later than 60 days after the end of the calendar year in which the breach occurred.

A covered entity may also be required to notify the media when a breach of unsecured information occurs. Every breach affecting 500 or more individuals must be reported to the media by the covered entity.

Reporting the breach of unsecured protected health information is an expensive and time consuming process. Preventing a breach of unsecured protected health information is always the best solution. Covered entities need to encrypt their electronic records and carefully safeguard their paper records.

Michael L. Smith, R.R.T., J.D., is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.

This article was originally published in Advance for Respiratory Care and Sleep Medicine.