Home 5 Lab Industry Advisor 5 Lab Compliance Advisor 5 Compliance Guidance-lca 5 How to Create a HIPAA Breach Notification Policy

How to Create a HIPAA Breach Notification Policy

by | Jan 26, 2017 | Compliance Guidance-lca, Compliance Perspectives-lca, Essential, HIPAA-lca, Lab Compliance Advisor

Privacy lapses can occur despite your best efforts to prevent them. If prevention does fail, the imperative switches to incident response and damage control. One of the key response challenges is furnishing timely notification under the HIPAA Breach Notification Rule. Here is how to implement a breach notification policy enabling you to meet that challenge. What the Notification Rule Requires The Notification Rule, which took effect nearly four years ago, requires providers to notify affected parties of breaches that compromise the privacy of protected health information. And you must act fast. Notification must be provided "without unreasonable delay" and no later than 60 days of discovering the breach. Breach notification has become a compliance imperative. The recent $475,000 settlement with Illinois health system Presence Health (see related article on page 1) sends a clear signal that the HHS Office for Civil Rights (OCR) is dead serious about enforcing the 60-day deadline. The Importance of a Breach Notification Policy Breach notification is not something you can do on the spur of the moment. You must plan ahead and implement a policy enabling you to do three things: Investigate incidents in which PHI is or may have been compromised; Determine whether the […]

Privacy lapses can occur despite your best efforts to prevent them. If prevention does fail, the imperative switches to incident response and damage control. One of the key response challenges is furnishing timely notification under the HIPAA Breach Notification Rule. Here is how to implement a breach notification policy enabling you to meet that challenge.

What the Notification Rule Requires
The Notification Rule, which took effect nearly four years ago, requires providers to notify affected parties of breaches that compromise the privacy of protected health information. And you must act fast. Notification must be provided "without unreasonable delay" and no later than 60 days of discovering the breach.

Breach notification has become a compliance imperative. The recent $475,000 settlement with Illinois health system Presence Health (see related article on page 1) sends a clear signal that the HHS Office for Civil Rights (OCR) is dead serious about enforcing the 60-day deadline.

The Importance of a Breach Notification Policy
Breach notification is not something you can do on the spur of the moment. You must plan ahead and implement a policy enabling you to do three things:

  • Investigate incidents in which PHI is or may have been compromised;
  • Determine whether the incident constitutes a HIPAA breach for which notification is required; and
  • If so, process and transmit the appropriate notifications.

The 10 Things to Include in Your Breach Notification Policy
Although breach notification policies cannot be one-size-fits-all, there are 10 things they should include.

1. Policy Statement
Start with a broad statement expressing your lab's commitment to privacy and HIPAA compliance.

MODEL LANGUAGE

Policy: Fictional Laboratories (Labs) is committed to protecting the privacy and security of Protected Health Information (PHI) with which it is entrusted in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), including but not limited to the HIPAA Breach Notification Rule, as well as state privacy laws, other applicable laws and regulations and Labs' own internal HIPAA privacy and security policies.

2. Explanation of Purpose
Explain that the purpose of the policy is to ensure appropriate and timely breach response and notification.

MODEL LANGUAGE

Purpose: The purpose of this policy is to establish rules and procedures for responding to data incidents that compromise or have the potential to compromise the privacy of PHI and which may constitute "breaches" requiring written notification under the Breach Notification Rule.

3. Incident Investigation & Breach Determination
Moving from principle to action, require designated personnel, e.g., a privacy officer or incident response team, to investigate incidents involving the actual or potential compromising of PHI to determine whether they constitute "breaches" for which notification must be provided. Explain what a "breach" is and list a few illustrative examples so that investigators know what incidents to investigate and how to determine if they are notifiable breaches.

MODEL LANGUAGE

Incident Investigation & Breach Determination: Any incidents in which the privacy of PHI is or may have been compromised must be investigated to determine if they constitute a "breach" requiring notification under the Breach Notification Rule. For purposes of this policy, "breach" means a use or disclosure of unsecured PHI that is not allowed under the HIPAA Privacy Rule and that compromises the PHI's privacy or security. Examples of incidents that must be investigated for potential breach notification purposes include where:

  • An unauthorized person has or may have gained access to PHI, e.g., by accessing Labs' private patient data bases;
  • PHI has or may have been used for an unauthorized purpose;
  • A business associate to which Labs entrusts PHI has or may have had a security incident;
  • PHI is missing.

Also tell investigators what information to collect so they can determine whether the incident constitutes a breach, including:

  • The data involved;
  • How the information was accessed, used or disclosed;
  • Whether the access, use or disclosure was authorized by your lab's HIPAA policies;
  • The incident date(s);
  • The date the incident was discovered;
  • The number of individual patients whose PHI was or may have been compromised.

4. Determination of Whether PHI Was "Secured"
Require investigators to determine if the data compromised was secured or unsecured and explain how. Explanation: A breach occurs when the compromised data was unsecured; if the data was properly secured, the incident is not deemed a breach and no notification is required.

MODEL LANGUAGE

Determine If Compromised Data Was Properly Secured: Assess whether the PHI compromised or potentially compromised in the incident was properly secured in accordance with HIPAA. For purposes of making this determination:

  • Data is unsecured if it is not encrypted and rendered unusable, unreadable or indecipherable to unauthorized individuals via use of a technology or methodology specified by the Secretary of the Department of Health and Human Services (HHS).
  • Electronic data is secured only if both of the following things are true:
  1. The data is properly encrypted according to HHS guidance; and
  1. The individual or entity with improper access to the information does not have access to the confidential decryption key or process.

If you determine that the data is secured, you may conclude that the incident is not a breach

requiring HIPAA notification. You must create a written record to document your conclusion and the specific facts on which you based it.

If you determine that the data is unsecured, its unauthorized access, use or disclosure may constitute a breach under HIPAA and you should proceed to Section X immediately below.

5. Determine If an Exception Applies
General rule: A breach occurs when the compromised PHI is unsecured. Exception: There are two kinds of PHI lapses for which notification is not required. Require investigators to determine whether either of these exceptions applies and explain how.

MODEL LANGUAGE

Determine If a Notification Exception Applies: If you conclude that the data compromised is unsecured, notification is generally required. However, notification is not required if the incident falls within one of two exceptions. Here is an explanation of each exception and how to determine if it applies to the incident under investigation:

  • The unintentional acquisition, access or use of PHI exception applies if ALL of the following are true:
    1. The data is properly encrypted according to HHS guidance; and
    1. The individual or entity with improper access to the information does not have access to the confidential decryption key or process.
      1. The data is properly encrypted according to HHS guidance; and
      1. The individual or entity with improper access to the information does not have access to the confidential decryption key or process.
      1. The individual or entity with improper access to the information does not have access to the confidential decryption key or process.
    1. The individual who acquired, accessed or used the PHI did so in good faith; and
    1. The unauthorized acquisition, access or use of the PHI did not result in a further use or disclosure not permitted under HIPAA.
  • The inadvertent internal disclosure of PHI exception applies if ALL of the following are true:
  1. The disclosure was made by an individual who is authorized to access PHI;
  1. The disclosure was made to an individual who is authorized to access PHI;
  1. The individual who acquired, accessed or used the PHI did so in good faith; and
    1. Labs;
    1. A business associate of Labs; or
    1. An organized health care arrangement in which Labs participates;
  1. The unauthorized acquisition, access or use of the PHI did not result in a further use or disclosure not permitted under HIPAA.

If you determine that an exception applies, you may conclude that the incident is not a breach requiring HIPAA notification. You must create a written record to document your conclusion and the specific facts on which you based it. If you conclude an exception does not apply, proceed to Subsection X immediately below.

6. Conduct a Risk Assessment
If the PHI is unsecured and neither exception applies, the impermissible use or disclosure is presumed to be a breach unless a risk assessment concludes that there is a low probability that PHI was compromised. Make sure your policy requires investigators to conduct a risk assessment.

MODEL LANGUAGE

Risk Assessment to Determine If Breach Occurred: If the PHI was unsecured and neither exception applies, the impermissible use or disclosure is presumed to constitute a breach requiring notification unless a risk assessment concludes that there is a low probability that PHI was compromised. Accordingly, the final stage in breach determination is to conduct the risk assessment to determine the probability that PHI has been compromised. In so doing, consider the following factors:

  • The nature and extent of the PHI involved, including identifier types and likelihood of re-identification;
  • The unauthorized person(s) who used or received the PHI;
  • Whether the unauthorized recipient is a covered entity or business associate with a legal obligation to keep the PHI confidential;
  • Whether the PHI was actually acquired, viewed or used; and
  • The extent to which the risk to the PHI could have been minimized.

7. Require Patient Notification
Having determined that a HIPAA breach has occurred, you must provide appropriate notification within the 60-day deadline. Make sure your policy provides for such notification, starting with the individual patients whose PHI was or may have been compromised as a result of the breach. The Model Language below incorporates the basic requirements for patient notification. In a future issue of G2 Compliance Advisor, we'll provide a model letter you can use to notify patients.

Pointer: The notification deadline starts running when you first learn of the incident—not the date your investigation concludes that the incident constitutes a reportable breach.

MODEL LANGUAGE

Patient Notification: Upon completion of the investigation in which a breach is determined to have occurred and no later than 60 days from the date of discovery of the incident prompting the investigations, Labs will provide written notification to patients whose PHI was or may have been involved in the breach.

  1. Notification will be provided to the patient, or where the patient is:
    1. Deceased, the next of kin or personal representative;
    1. Incapacitated, the personal representative;
    1. A minor, the parent or guardian.
  1. Notification will be sent to the last known address of the patient or next of kin, unless the patient specifically requests that notice be sent via unsecured email.
  1. If Labs' contact information is insufficient or out-of-date, notification will be provided via alternative methods, depending on the number of individuals affected:
    1. Fewer than 10: a phone call or other substitute form of notice;
    1. 10 or more, either:
  • Posting a conspicuous notice including a toll-free number for 90 days on the homepage of Labs' website; or
  • Providing notice in major print or broadcast media in the geographic area where the patient can learn whether his/her PHI may have been involved in the breach, including a toll-free number.
  1. Notification will be provided in plain language and clearly syntaxed and written in a manner that an individual of the recipient's reading level can understand without use of external materials or assistance.

8. Require HHS Notification
You must also notify the OCR of breaches. Unlike patient notices, the 60- day deadline for OCR notice varies depending on the number of individuals affected.

MODEL LANGUAGE

HHS Notification: Labs will provide written notification to the HHS Office of Civil Rights using the appropriate electronic breach report form available on the HHS website.

  1. Where the breach involves 500 or more individuals, Labs will furnish the OCR notice upon completion of the investigation and no later than 60 days from the date of discovery of the incident prompting it;
  1. Where the breach involves fewer than 500 individuals, Labs will furnish the OCR notice no later than 60 days after the end of the calendar year in which the breach was discovered as part of an annual report disclosing all such breaches that occurred during that calendar year.

9. Require Media Notification
Breaches affecting 500 or more individuals in a state must also be reported to "prominent media outlets" serving the state within the 60-day deadline, typically in the form of a press release.

10. List Required Content of Notification
Content requirements for all three forms of notice are the same and should be incorporated at the end of your notification policy.

MODEL LANGUAGE

What Information Breach Notification Must List: Regardless of delivery method and intended recipient, notification of HIPAA breaches will list, at a minimum, the following information:

  • A brief description of the breach;
  • The date the breach occurred;
  • The date the breach was discovered;
  • The types of PHI that the breach involved;
  • Steps affected individuals should take to protect themselves from potential harm caused by the breach;
  • Measures taken by Labs to investigate the breach, mitigate its potential harm and prevent further breaches;
  • Contact information and procedures—including a toll-free number, email address, website or postal address—that individuals can use to ask questions or get further information.

Takeaway: While prevention is the primary objective, HIPAA also requires you to take action to mitigate data breaches you fail to prevent, which may include providing notification of the breach. When incidents occur, you must figure out what went wrong, which medical records were involved and, above all, whether the incident constitutes a breach for which breach notification is required. If so, you must prepare and deliver all of the required notifications. And you must do all of these things within 60 days!

The key to compliance: Implementing a breach notification policy at your lab.

Subscribe to view Essential

Start a Free Trial for immediate access to this article