Are you aware of HIPAA breach notification standards?

By Legal & Regulatory Affairs staff

When the Health Insurance Portability and Accountability Act (HIPAA) final rule went into effect Sept. 23, 2013, the standard for when psychologists and other covered entities must notify patients and the Department of Health and Human Services (HHS) of a breach changed. 

The article provides a "refresher" on the new breach notification rule and procedures for members who still have questions on what to do if they experience a breach such as stolen or improperly accessed protected health information (PHI). This information is also available in The HIPAA Final Rule: What you need to do now (PDF, 551KB) product from the APA Practice Organization (APAPO), provided free to members of APAPO on the Practice Central website. 

What is a breach?

The Health Information Technology for Economic and Clinical Health (HITECH) Act added a requirement to HIPAA that covered entities must give notice to patients and to HHS if they discover that “unsecured” PHI has been breached. A “breach” is defined as the “acquisition, access, use or disclosure of PHI” in violation of the HIPAA Privacy Rule (PDF, 1.52MB). Examples of a breach include: stolen or improperly accessed PHI, PHI inadvertently sent to the wrong provider and unauthorized viewing of PHI by an employee in your practice. PHI is “unsecured” if it is not encrypted to government standards. Conversely, if you lose PHI that has been encrypted to government standards, there is no breach.

A use or disclosure of PHI that violates the Privacy Rule is presumed to be a breach unless you demonstrate that there is a “low probability that PHI has been compromised.” That demonstration is done through the risk assessment described next.

What do I do if I learn of or suspect a breach?

Step 1: Conduct a Risk Assessment

The first step if you discover or suspect a breach is to conduct the required risk assessment. (You must take this step even if the breached PHI was secured through encryption. See related sidebar on encryption.) 

The risk assessment considers the following four factors to determine if PHI has been compromised: 

1. The nature and extent of PHI involved. For example, does the breached PHI provide patient names or other information that would enable an unauthorized user to determine the patient’s identity? 
2. To whom the PHI may have been disclosed. The unauthorized person who used the protected health information or to whom the disclosure was made.
3. Whether the PHI was actually acquired or viewed. Factors 2 and 3 can be illustrated by comparing two scenarios. In both scenarios, your office has been broken into and your locked file cabinet with paper patient records has been pried open. In Scenario A, you suspect that a burglar was simply looking for valuables because cash and other valuables (but no patient information) have been taken. In Scenario B, you suspect the spouse of a patient going through a contentious divorce because no valuables have been taken and only that patient’s file appears to have been opened. In Scenario A, the likelihood that a burglar was rummaging through files seeking only valuables indicates a relatively low risk that PHI was actually viewed. In Scenario B, the identity of the suspected “breacher” suggests a very high risk that the one patient’s PHI was viewed and compromised. 
4. The extent to which the risk to the PHI has been mitigated. For example, if you send the wrong patient’s PHI to a psychologist colleague for consultation, it should be easy to obtain written confirmation from the colleague that they have properly deleted or destroyed the PHI as soon as they realized you sent information on the wrong patient. By contrast, if your laptop is stolen you have little assurance that the thief will respect your patient’s confidentiality. 

If the risk assessment fails to demonstrate that there is a low probability that the PHI has been compromised, breach notification is required — if the PHI was unsecured. It is important to note that HHS includes not just unauthorized access to PHI by thieves and outside hackers, but also impermissible uses by knowledgeable insiders. 

Regardless of whether you determine that notice is required, you should document your risk assessment for all potential breaches. We also recommend that you re-assess your practice’s privacy and security practices after any breach to prevent the same lapse from reoccurring. 

Step 2: Determine if and when notice should be sent to the patient

If notice is required, you must notify any patient affected of a breach without unreasonable delay, meaning within 60 days (or the limit specified by state law) of discovery. A breach is “discovered” on the first day that you know (or reasonably should have been known) of the breach. You are also deemed to discover a breach on the first day that any employee, officer or other agent of your practice (other than the person who committed the breach) knows about the breach.

The notice must be in plain language that a patient can understand and should provide the following information:

• Brief description of the breach, including dates.
• Description of types of unsecured PHI involved.
• Steps the individual should take to protect against potential harm.
• Brief description of steps you have taken to investigate the incident, mitigate harm, and protect against further breaches.
• Your contact information. 

If you do not have all of the above information when you first need to send notice, you can provide a series of notices that fill in the information as you learn it.

Step 3: Determine how to send notice to patients

You must provide written notice to the patient at the patient’s last known address by first-class mail. Alternatively, you can contact your patients by email if they have indicated that this is the preferred manner of contact. A breach notice could alert a patient’s spouse or other family members to the fact that the patient is receiving mental health treatment even though the patient did not want this fact disclosed to family members. To help minimize this possibility, it is advisable to discuss with patients the physical or email address where they would prefer to be contacted in the unlikely event that you have to send a breach notice. 

Step 4: Notify HHS

For breaches affecting fewer than 500 patients, you must keep a log of those breaches during the year and then provide notice to HHS of all breaches during the calendar year, within 60 days after that year ends. 

For breaches affecting 500 patients or more, there are more complicated requirements which include immediate notice to HHS and sending notifications to major media outlets in the area for publication purposes. 

HHS provides instructions on how to provide notice for breaches on its website. 

How do I handle breaches involving business associates?

The HIPAA Final Rule clarified the role of business associates in breach notification. The risk assessment can also be done by your business associate if the associate was involved in the breach. If a business associate or subcontractor is involved in the breach, they must notify the psychologist. It is then the psychologist’s duty to provide notice to the patients and HHS of these breaches as explained above. 

For more information, visit the HIPAA Compliance section of the Practice Central website. Members who need additional information or have questions about this article may also contact APAPO’s Office of Legal & Regulatory Affairs toll-free at (800) 374-2723, ext. 5886, or by email. 

Please note: Legal and regulatory issues are complex and highly fact-specific and require legal expertise that cannot be provided by any single article. The information in this article should not be used as a substitute for obtaining personal legal advice and consultation prior to making decisions regarding individual circumstances.