If your healthcare organization experienced a HIPAA breach, one of the mandatory responses includes a HIPAA Breach Notification Letter to notify the individuals affected by the breach.
In this Article …
HIPAA Breach Notification Rule – your responsibilities
The HIPAA Breach Notification Rule mandates that if the security or privacy of protected health information (PHI) has been compromised, a specific process must be followed for the notification of affected individuals and regulatory entities. Even if your organization has not had a data breach, it’s important to familiarize yourself with the law and its related HIPAA Breach Disclosure Requirements.
The following are essential steps to be taken …
- Discovery of Breach: A breach is considered discovered as of the first day on which it is known or should reasonably have been known. This is important because there are looming deadlines for reporting that are tied to the date of discovery of the breach.
- Notification to Individuals: Providing notice (the “breach notification letter”) to affected individuals within 60 days of discovering the breach.
- Notification to the Secretary of HHS: Reporting to the Secretary of the U.S. Department of Health and Human Services (HHS), depending on the size of the breach, either within 60 days of discovery if 500 or more individuals were involved in the breach, or within 60 days after the end of the calendar year in which the breach occurred for smaller breaches.
- Notification to the Media: For breaches affecting 500 or more individuals, prominent media outlets must be notified within 60 days of discovery.
- Notification by a Business Associate: If the breach is at or by a Business Associate, they must notify the Covered Entity no later than 60 days after discovering the breach.
Every covered entity should develop a response plan in advance of an actual breach. Having a response plan at the ready will enable an organization to act fast if a breach is discovered. Failure to comply with the requirements can result in stiff financial penalties.
Be Careful and Deliberate when Preparing the Response Letter
Blunders during the notification process do happen too often! There have been several examples of organizations that have experienced a HIPAA breach, then added to the “injury” by serious errors in the notification process.
Alive Hospice in Tennessee had a mishap with mailing breach notification letters having incorrect names. In 2017, Aetna settled a claim for $17 million in which they disclosed patients’ HIV status through a clear envelope. Ironically, the letters were sent to notify patients of another security breach.
Organizations, especially smaller ones, do not usually have a dedicated employee to handle HIPAA issues. Thus, checks and balances are critical to ensuring all the HIPAA requirements are being followed.
Components of a HIPAA Breach Notification Letter
The actual drafting of a Notification Letter is a crucial step in responding to a breach of PHI. It serves as not only a legal requirement but as an important opportunity to maintain trust and transparency with those affected. Therefore, including specific components in the letter is essential for both compliance and effective communication.
The table below contains the key components that should be part of any HIPAA Breach Notification Letter.
Description of the breach | This can be brief, but you need to include when and how it was discovered and how the data was compromised. |
Type of Protected Health Information (PHI) | Explain what PHI was compromised. This may include the patient’s name, home address, phone number, date of birth, Social Security number, account number, etc. |
Next steps | What are the steps the individuals need to do to protect themselves? Offer monitoring service or other assistance. |
Correcting damage | Describe the steps you will take to avoid further breaches and how you are mitigating the losses for your patients. |
Order a credit report | You can encourage patients to order copies of their credit reports and check them carefully. Free reports can be ordered from the three national credit bureaus. |
Monitor credit | Patients should continue to monitor their credit even after placing a fraud alert on their accounts. |
Fraud alert | Encourage your patients to place a fraud alert with the three national credit bureaus. |
Helpline | Let patients voice their opinions. Provide contact information or include a toll-free number for patients to ask questions. |
Apologize and Accept Responsibility | It’s not required, but it’s good practice to accept responsibility and let the affected individuals know that you are sorry. |
Keep the language simple | You want your letter to be easily understood by everyone reading it. Aim for a sixth-grade or below reading level. |
Delivery of the Breach Notification Letter
The Breach Notification Rule provides guidelines on the delivery of the notification letter. The following are acceptable options depending on the circumstances.
- First Class Mail: The notice should be sent to each individual’s last known address via first class mail. If it is known that the individual is deceased, then it should be sent to either the next of kin or a personal representative if an address is known.
- Email: If there is a valid record of the individual having agreed to receive notifications electronically, such as by email, then this is allowed.
- Substitute Notice: If there is insufficient or out-of-date contact information for fewer than individuals, then the covered entity may provide notice through an alternative method such as by telephone or an alternative form of written notice. If there is insufficient or out-of-date information for 10 or more individuals, then the covered entity will need to publish a conspicuous posting on their website’s home page, or a notice in a major print or broadcast media affected individuals likely reside. In such cases, a toll-free phone number must be provided and remain active for at least 90 days.
Perspective on the Breach Notification Process
When drafting a Breach Notification Letter and delivering it to the affected individuals, be sure to cover all the requirements, each step of the way without opening yourself up to liability. This is “the real world”, and in the real world, mishaps do occur. Laptops can be lost, and online data can be hacked. So a covered entity needs to be sure to have a response plan ready in the event that a data breach occurs.
During this process the covered entity needs to focus on being organized, diligent, and following all the proper steps. After all, it’s not only a matter of legal compliance with HIPAA law, but can also bring about significant benefits in terms of trust, reputation, financial health, and operational effectiveness of the organization.