10 Things to Include in Your HIPAA Breach Notification Policy

Earlier this month we told you about a $475,000 settlement one provider reached in a HIPAA breach notification case. Privacy lapses can occur despite your best efforts to prevent them. If prevention does fail, the imperative switches to incident response and damage control. One of the key response challenges is furnishing timely notification under the HIPAA Breach Notification Rule. Here is how to implement a breach notification policy enabling you to meet that challenge.

What the Notification Rule Requires

The Notification Rule requires providers to notify affected parties of breaches that compromise the privacy of protected health information. And you must act fast. Notification must be provided “without unreasonable delay” and no later than 60 days of discovering the breach.  

Breach notification has become a compliance imperative. The recent $475,000 settlement with Illinois health system Presence Health sends a clear signal that the HHS Office for Civil Rights (OCR) is dead serious about enforcing the 60-day deadline.

The Importance of a Breach Notification Policy

Breach notification is not something you can do on the spur of the moment. You must plan ahead and implement a policy enabling you to do three things:

  • Investigate incidents in which PHI is or may have been compromised;
  • Determine whether the incident constitutes a HIPAA breach for which notification is required; and
  • If so, process and transmit the appropriate notifications.

The 10 Things to Include in Your Breach Notification Policy

Although breach notification policies cannot be one-size-fits-all, there are 10 things they should include.

  1. Policy Statement
  2. Explanation of Purpose
  3. Incident Investigation & Breach Determination
  4. Determination of Whether PHI Was “Secured”
  5. Determine If an Exception Applies
  6. Conduct a Risk Assessment
  7. Require Patient Notification
  8. Require HHS Notification
  9. Require Media Notification
  10. List Required Content of Notification

For further explanation of each of these elements and model language you can adapt for your own policy, see “Compliance Perspectives: How to Create a HIPAA Breach Notification Policy,” G2 Compliance Advisor, January 2017, pages 5-9.


You have 2 articles left to view this month.

Your 3 Free Articles Per Month Goes Very Quickly!
Get a 3 month Premium Membership to
one of our G2 Newsletters today!

Click on one of the Newsletters below to sign up now and get unlimited access to all articles, archives, and tools for that specific newsletter!









Try Premium Membership