Best Practices in Case of HIPAA Security Breach

by Gabriel Kurcab

Even for upstanding medical providers who carefully adopt best practices, security breaches under HIPAA can be landmines. And as electronic data storage and retrieval systems conquer the industry, security breaches are only becoming more common. HIPAA defines a security breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted…which compromises the security or privacy of the protected health information.” Whether a security breach has occurred is a question best posed to your IT folks, or an outside IT consulting firm that specializes in forensic analysis. What to do about a security breach is where legal counsel comes in.

For all security breaches, covered entities under HIPAA will need to notify affected individuals and self-report to the Secretary of Health and Human Services (“HHS”). A covered entity’s obligations differ depending on whether the breach affects fewer or more than 500 individuals. If the number of individuals affected by the breach is unknown, a covered entity may base its reaction on an estimate, but must revise the estimate as additional information is discovered.

For breaches that affect fewer than 500 individuals, the process of notification and self-reporting is fairly simple and straightforward. The notification process is as follows: affected individuals must be notified “without unreasonable delay”, and in no case later than 60 days following the discovery of the breach. The notification must include (the “Notice Content”): (1) a description of the breach, (2) a description of the type of information involved in the breach, (3) steps affected individuals should take to protect themselves from potential harm, and (4) contact information for the covered entity. Within 60 days of the end of the calendar year in which the breach occurred, the covered entity must notify the Secretary of HHS electronically. Of course, a covered entity is free to notify the Secretary of HHS earlier, but the procedure is set up to make it easier administratively for a covered entity to do all of its self-reporting for the preceding year at once. 

For breaches that affect 500 or more individuals, the covered entity (1) must provide the Notice Content to all affected individuals, (2) must provide the Notice Content to prominent media outlets serving the area, and (3) must notify the Secretary of HHS without unreasonable delay, and in no case later than 60 days following the discovery of the breach. Note that the Secretary of HHS posts all such breaches on its website as a form of public notification, and, effectively, shaming.

Although this roadmap provides a general overview of a covered entity’s obligations under HIPAA in the event of a security breach, a growing number of other state and federal laws are implicated in any security breach, so care must be taken to ensure that all obligations are understood and dutifully complied with. As always, if we can answer any questions, or assist with your compliance efforts, please let us know.