Breach Notification Policy for Healthcare Organizations and Business Associates

One of the provisions of the HITECH Act is the notification of individuals affected by a breach of their electronic protected health information. There are certain requirements that must be followed and thresholds that apply to the breach notification regulation.

The organization must comply with this policy to fulfill its obligations with the HIPAA/HITECH Privacy and Security Rules regarding the notification of individuals affected by a privacy and security breach of their protected health information.

The organization must notify the client that owns the records of any individual affected by a breach that may have been caused by the services offered by the organization to its clients and if the individual’s protected health information has been compromised. A breach is defined as an unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security of the information.

Who to notify of a suspected breach?

The Security Officer should be notified immediately once a breach has been discovered by any of its workforce members or subcontractors. The Incident Response Team should conduct an investigation into the breach that may require law enforcement as necessary. In situations involving law enforcement, notification of a breach may be delayed. If law enforcement requests a delay in notification, such request should be made in writing requesting the period of time such delay should take place. If a request for delay is made orally, the request should be documented and will be valid no longer than thirty (30) days from the initial request unless a written request is submitted during that time.

The organization will assist the client and provide any necessary information that is required for them to make written notice to the last known address of the affected individual (or next of kin in cases of a deceased individual) via first class mail within sixty (60) days of a breach. If the individual has requested communication electronically, an e-mail notification may be sent. If the breach involves more than five hundred (500) people in one state or jurisdiction, the organization will assist the client in making a notice to the prominent media outlet serving that state or jurisdiction. In addition, the organization will assist the client in making a notice to the federal Department of Health and Human Services (HHS) immediately. If the breach involves less than five hundred (500) individuals, the breach must be logged and reported annually to HHS.

If the breach involves more than ten (10) individuals that do not have current available addresses, the organization will assist the client in making a notice that will be placed on the client’s website or provide a notice to the major print or broadcast media in the geographic areas where the individuals affected by the breach likely reside.

The organization may assist a client by providing a notice made by telephone in addition to the other required notices in urgent cases where the possibility of imminent misuse of the unsecured protected health information applies.

What is the retention period for breach documentation?

Other applicable state laws may apply for the breach of social security numbers, bank account numbers, or other similar personally identifiable information. Breach documentation must be retained for six (6) years.

Are there exceptions?

An unintentional breach, made in good faith, and within the scope of the professional relationship between the organization and any entity maintaining the records and the individuals or entities involved in the incident is not considered a breach requiring notification. As long as the protected health information is no further acquired, access, used or disclosed to any other person, no breach notification is required. For example, if a person authorized to access protected health information inadvertently discloses this information to another person also authorized to access the protected health information is not considered a breach. Similarly, disclosing information to an unauthorized person that the organization has a good faith belief could not reasonably retain such information is not considered a breach. Finally, a breach has not occurred if there is a low probability that information has been compromised (i.e. a breach does not compromise the security or privacy of the protected health information or pose a significant risk of financial, reputational, or other harm to the individual).

If you need help creating this policy or developing other policies and procedures, we can help. Contact us today!