Companies in the healthcare industry are attractive targets for cybercrime. That’s why the US Department of Health and Human Services (HHS) developed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to define and safeguard protected health information (PHI). Initially, HIPAA focused on the privacy and security of PHI to curb the number of cyberattacks. But with the passing of the HITECH Act, HHS built on the original framework to specify what companies should do when a HIPAA breach does happen.
Deep Dive into the HIPAA Breach Notification Rule
There will never be a guarantee that data is entirely safe from hacking and other cybersecurity threats. Even the best-protected companies occasionally fall victim to an accidental or targeted breach of information. HIPAA requires companies to plan for every contingency if a security breach does happen, including notifying all impacted parties. How companies must notify the impacted parties is detailed in the Breach Notification Rule.
The sections below are structured around three essential Breach Notification Rule questions:
- What is the Breach Notification Rule, how does it work, and what does it require?
- How does breach notification relate to the other HIPAA rules and requirements?
- Who exactly needs to maintain HIPAA compliance, and how can they do it?
Across the answers to these questions, we’ll break down everything you need to know about the Breach Notification Rule. But first, let’s take a look at some historical context.
Timeline of HIPAA and HITECH Developments
The primary goals of the HIPAA framework have remained the same since its first inception. However, breach reporting was not part of the original document. Hence the importance of understanding how and why it came to fruition.
According to HHS’s synopsis of HIPAA for professionals, the most critical developments over time have been the following:
- Publication of the first final edition of the HIPAA Privacy Rule, in 2000
- Publication of the first final edition of the HIPAA Security Rule, in 2003
- Publication of the HIPAA Interim Final Rule, including HITECH, in 2009
- Publication of the HIPAA Omnibus Final Rule (still current), in 2013
Impacts of the HITECH Act implementation on HIPAA included profound changes to enforcement, such as more significant penalties for noncompliance, as well as a more targeted focus on digital forms of PHI. The single most significant impact was the addition of an entirely new rule: Breach Notification Rule.
What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule builds on existing HIPAA controls by adding another transparency layer for all stakeholders. Rather than expanding the scope of protection, the Breach Notification Rule requires companies to notify all impacted parties in the event of a data breach. Below, we’ll dive into these reporting requirements. First, let’s define what a breach is.
HIPAA defines data breaches as any use or disclosure of PHI prohibited by the Privacy Rule (detailed below). However, there are two categories of exceptions that can apply. The first exception involves when risk analysis demonstrates a low probability of compromised PHI. To determine this probability, companies must perform risk analysis across four critical factors:
- Nature, amount, and extent of PHI involved in the event, including identifying factors
- The identity and characteristics of the person(s) to whom PHI was improperly disclosed
- Whether the improperly disclosed PHI was viewed, used, captured, etc.
- Efficacy of efforts made to mitigate and seize risks related to the improper disclosure
The second category comprises three exceptions to the definition of a data breach:
- Unintentional access by healthcare staff of the covered entity given that the access was done in good faith
- Inadvertent disclosure by an authorized user limited to the scope of the initial accident
- Disclosure to a party whom it can be reasonably assumed will not retain the information
Unless one or more of these criteria is met, use or disclosure of PHI outside the Privacy Rule will require notification to the PHI subject and other stakeholders.
Breakdown of Breach Reporting Requirements
The Breach Notification Rule defines what constitutes a breach and the appropriate response. According to the HHS, these requirements include the following:
- Individual notice – Covered entities must notify all parties impacted by a data breach without unreasonable delay and within 60 days of the breach’s discovery in all cases
- The notice must be sent by first-class mail; for clients who have opted out of paper correspondence, an email notification may be permitted.
- If there is insufficient contact information for ten or more individuals, the covered entity must post the notice on its home page for at least 90 days after the breach.
- The covered entity must include a toll-free number that impacted individuals can call for at least 90 days after the breach to obtain more information about it.
- Secretary notice – Covered entities must notify the Secretary of the HHS by filling out an official form; specifications for Breach Reporting depend upon the size of the breach:
- For breaches impacting fewer than 500 people, covered entities must notify the Secretary annually, with reports due 60 days after the end of the calendar year.
- For breaches impacting more than 500 people, covered entities must notify the Secretary without unreasonable delay or within 60 days of breach discovery.
- Media notice – Covered entities must notify prominent media outlets (such as through a press release) for breaches impacting 500 or more individuals within a given location.
In sum, the Breach Notification Rule works in conjunction with the Privacy and Security Rules, adding an extra layer of responsibilities for companies who break them. To fully grasp the scope of Breach Notification, it’s essential to understand the other HIPAA rules.
How Does Breach Notification Relate to Other Rules?
The Breach Notification Rule first debuted in the Interim Rule and was then finalized in the HIPAA Omnibus Final Rule. The rule exists to extend beyond protection into transparency. It accounts for situations where a company still falls victim to a hack or other cyber attack, even when the other rules are followed perfectly. It exists independently of the other rules while maintaining some connection via basic definitions — the Privacy Rule defines a breach, for instance.
The following subsections take a close look at exactly how each HIPAA Rule relates to Breach Notification (sourced from the HIPAA Administrative Simplification). The most direct connection is to the Privacy Rule, but understanding the Security and Enforcement Rules is also critical to fully implement Breach Notification and the entire HIPAA framework.
Privacy Rule: Authorized Uses and Disclosures
The HIPAA Privacy Rule was the first HIPAA rule. Initially, it established PHI as a protected category and defined the basic parameters of its protection. Breach Notification directly relates to the Privacy Rule’s definitions of permitted use, per HHS’s synopsis of the Privacy Rule:
- Basic principle of privacy – Covered entities must not disclose PHI unless:
- The subject (or a representative) authorizes the use or disclosure in writing.
- The use or disclosure of PHI meets one or more permitted use criteria.
- Required uses and disclosures – Covered entities must disclose PHI:
- To the subject of the PHI or their representative(s), upon request
- To law enforcement and government agencies within certain limitations
- Permitted uses and disclosures – Covered entities may disclose PHI:
- For treatment, payment, and healthcare operations
- If the subject is given a reasonable opportunity to agree or object
- If the use is incidental to other permitted or required disclosures
- For a public benefit project or in the public interest
- For approved research, given a limited data set.
- Minimum necessary disclosure – Covered entities must limit all authorized uses and disclosures to the minimum necessary requirement, except for required uses and disclosures.
Any use or disclosure that falls outside the scope of permitted or required uses may constitute a data breach. As such, HIPAA Breach examples also include disclosures and uses that would be allowed if not for failing the minimum requirement.
Security Rule: Confidentiality, Integrity, Availability
The HIPAA Security Rule builds on the Privacy Rule’s protections, extending them out to meet the specific challenges of electronic PHI (ePHI). It relates to Breach Notification indirectly. Per HHS’s synopsis of the Security Rule, its main elements are:
- General security rules – Covered entities must:
- Ensure confidentiality, integrity, and availability of ePHI
- Identify and protect against anticipated threats to ePHI
- Safeguard against anticipated improper use and disclosure
- Ensure Privacy and Security compliance across workforce
- Risk analysis and management – Covered entities must:
- Evaluate the likelihood of and potential impact(s) of risks to ePHI
- Employ security measures to protect against identified risks
- Document chosen measures and rationale for their selection
- Maintain continuous protections (before, during, and after attacks)
- Administrative safeguards – Covered entities must:
- Manage security processes and security personnel
- Manage identity, access, and authentication protocols
- Manage workforce cybersecurity awareness training
- Assess and correct security procedures regularly
- Physical safeguards – Covered entities must:
- Restrict and control access to sensitive facilities and areas
- Restrict and control access to sensitive workstations and devices
- Technical safeguards – Covered entities must:
- Control access to ePHI (especially remote access)
- Audit regularly and adhere to defined audit logging protocols
- Ensure integrity of maintenance and alteration of ePHI
- Restrict all access to ePHI via unsecured public networks
To the extent that these safeguards and requirements expand upon the scope of the Privacy Rule’s specific controls, they are also an extension of the Breach Notification Rule. Failing to meet Security Rule requirements is likely to result in a data breach, requiring notification.
Enforcement Rule: Penalties for Non-Compliance
The HIPAA Enforcement Rule exists to define the stakes of compliance, which were raised significantly through HITECH. Noncompliance, including failure to meet Breach Notification Rule specifications, can result in the following tiers of civil money penalties:
- Individual fines of $100 to $50,000 dollars per (good faith) “did not know” violation.
- Individual fines of $1,000 to $50,000 dollars per violation with “reasonable cause.”
- Individual fines of $10,00 to $50,000 dollars per “willful neglect, with correction.”
- Individual fines of $50,000 dollars flat per “willful neglect, without correction.”
- Cumulative fines totaling no more than $1,500,000 dollars annually.
Criminal charges may accompany these penalties. The process of Enforcement involves a collaboration between the HHS’s Office of Civil Rights (OCR) and the US Department of Justice (DOJ). If either party’s investigations suggest that a covered entity has violated HIPAA, then the resolution involves a combination of penalties and corrective measures.
Who Needs to Comply with HIPAA and How?
In the sections above, we’ve made several references to “covered entities.” These are the specific parties to whom HIPAA enforcement applies. They are responsible for implementing Breach Notification, Privacy, and Security safeguards. There are three main categories:
- Healthcare providers – Including most private practices (doctors, psychologists, dentists) and group facilities (hospitals, clinics), and select merchants (pharmacies)
- Health insurance plans – Including health insurance companies, company, and government-provided health insurance, and health maintenance organizations (HMOs)
- Healthcare clearinghouses – Including service providers and other entities that process and translate PHI from nonstandard to standard formats (or vice versa)
The HITECH Act significantly increased the scope of compliance by making these entities’ business associates responsible for compliance. Business associate contracts need to ensure that third-party service providers are responsible for reporting on breaches that impact their specific dealings with their clients who are covered entities.
How HIPAA Compliance Advisory Services Can Help
HIPAA casts a wide net out of necessity. PHI is no longer confined to physical file cabinets in medical facilities; even companies outside of the industry process PHI due to the interconnectivity of modern IT.
However, many companies looking to expand their horizons and take on lucrative contracts with covered entities may find themselves unprepared for the compliance challenges.
RSI Security offers a suite of robust, scalable HIPAA compliance services to help any company follow the Privacy, Security, and Breach Notification Rules — and avoid the Enforcement Rule altogether. Our team of experts can help you spot a HIPAA breach before it happens, and we’re also happy to help with damage control if it does. Contact RSI Security today to see how simple compliance can be.