Define and Act on a Privacy or Security Breach
By Julie E. Chicoine, Esq., RN, CPC
New federal rules add additional responsibilities and accountabilities affecting those who allow a breach of privacy or security. Knowing these new rules and concepts in case patients’ information is released may ease a provider’s recovery from the crisis.
The Office of Civil Rights generally defines a breach as an impermissible use or disclosure under the Health Insurance Portability and Accountability Act (HIPAA) that compromises the security and privacy of personal health information (PHI) such that the subsequent use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual (see Breach Notification Rule). This definition has not changed; however, the Health Information Technology for Economic and Clinical Health (HITECH) Act adds the notion of willful neglect, defined as willfully disregarding knowledge of a privacy and security violation.
The HIPAA privacy rule imposed general requirements including investigation, mitigation, correction, and notification of privacy breaches under certain circumstances. HITECH amends those requirements to include three levels of reporting for breach that qualifies as a “wrongful use/disclosure” of PHI.
- Providers must send an individual notice to the affected patient(s) within 60 days following the discovery of an unsecured PHI breach. This notice must be in written form by first class mail, or via email when the affected patient has agreed to receive notices electronically.
- If the breach involves more than 500 patients, providers must take the additional step of providing notice to prominent media outlets serving that state or jurisdiction where the breach occurred. This notice can be accomplished in the form of a press release. As with individual notice, this must be accomplished within 60 days of discovery of the privacy breach and must include the same information provided in the individual notice.
- Providers must notify the secretary of the U.S. Department of Health & Human Services (HHS) of unsecured PHI breaches by submitting a breach report form (available on the HHS website). If the breach affects more than 500 patients, the practice must complete this task “without unreasonable delay,” but no later than 60 days following discovery. If the breach affects fewer than 500 patients, the practice can notify the secretary of the breach on an annual basis. Annual reports must be received no later than 60 days from the end of the calendar year when the breach(es) occurred.