PHI Breach Reporting: Know Your Responsibility Under the HIPAA Breach Notification Rule

Whether your organization is a covered entity or a business associate, you must follow HIPAA’s strict breach notification rules and regulations to stay compliant. The HIPAA Breach Notification Rule requires healthcare providers and their vendors to notify patients, the HHS, and sometimes the media when there’s a serious breach of protected health information (PHI) or electronic protected health information (ePHI). Failing to follow the Breach Notification Rule can put your organization at risk of bigger penalties and fines, so it’s critical to understand the steps required for breach notifications.

Here’s everything providers and business associates need to know about their responsibilities for PHI breach reporting.

What is the HIPAA Breach Notification Rule?

PHI security breaches can devastate patients, so providers should take every breach seriously. The HIPAA Breach Notification Rule ensures patients, the HHS, and the public are aware of major data breaches. This way, healthcare providers can’t conceal breaches, which could put patients at serious risk.

The HHS OCR keeps track of these incidents to manage providers’ security compliance. They can also identify threat trends in healthcare, which the HHS uses to recommend PHI cybersecurity best practices moving forward.

Covered Entity Responsibilities

If you’re a covered entity under HIPAA, you need to meet administrative requirements long before there’s a breach. HIPAA requires you to:

  • Create breach notification policies
  • Train employees on these policies
  • Sanction employees who break your policies

However, once you experience a breach, you’ll need to mitigate the breach, gather evidence, and notify certain parties.

Mitigate the Breach

First things first, you’ll need to take immediate action to mitigate the breach. For example, if a hacker broke in and stole patient data through an unsecured IoT device, you need to secure that device. This stops the source of the breach, which will protect patients (and your business) from further harm.

Gather Evidence

Next, you’ll need to analyze the breach and gather evidence by conducting a PHI breach risk assessment. If you believe there wasn’t any actual harm done during the breach, you’ll need to prove it. For example, if someone tried to steal encrypted information and didn’t have access to a decryption key, it likely won’t count as a breach, per the HIPAA Breach Safe Harbor Policy.

If someone accessed unencrypted information but you still believe it doesn’t qualify as a breach, it needs to pass this four-factor test to prove there was no harm:

  • The breach didn’t include identifying information about a patient.
  • The unauthorized access came back to a person in your business, not an outside attacker.
  • The PHI wasn’t used maliciously.
  • Your organization took the appropriate steps to mitigate the breach immediately after it was discovered.

Regardless of whether you think you experienced a breach, the HHS OCR will still ask you for a risk assessment proving there was no tangible harm.

Send Notifications

If you experienced a breach, the HIPAA Breach Notification Rule requires you to notify individual patients, the HHS, and sometimes the media.

  • Individuals: Whether it’s one patient or 1,000, you must notify all affected patients about a breach no later than 60 days after discovering the breach. HIPAA requires you to send a printed letter to their last known address. If the breach affected over 10 people, you must also post a notice about it on your website for 90 days or notify a prominent media outlet in your area about the breach.
  • HHS: If the breach involved over 500 patients, you must report it to the HHS within 60 days of discovering it. If it affected fewer than 500 people, you need to notify the HHS within 60 days of the end of the calendar year when the breach occurred.
  • The media: You only need to notify the local media if a breach affected 500 people in a specific state or jurisdiction. For example, a national health system would need to submit press releases in both Texas and Indiana if it had breaches of 500+ records in those states.

Business Associate Responsibilities

If you’re a business associate of a covered entity, you must tell the covered entity about any breaches that happen in your systems. HIPAA requires you to tell the covered entity about the breach within 60 days of discovery, as well as provide a list of all individuals affected by the breach.

The covered entity will usually notify individuals about a breach, but it depends on the situation. For example, if the business associate has a closer relationship with the patient, they will typically notify the patient.

Simplify PHI Breach Reporting

Whether you’re a hospital, clinic, or business associate, you agreed to protect patient information according to the terms of HIPAA. When breaches happen, your responsibility to follow the proper notification protocol. Follow the steps in this guide to fulfill your responsibilities under HIPAA’s PHI breach reporting rule.

Of course, it’s better to avoid a PHI breach in the first place. Not only do you want to avoid having to work through the notification requirements, but you also want to protect your patients’ safety by keeping their PHI secure. But in today’s healthcare landscape, it’s increasingly necessary — and beneficial — for providers to share PHI to improve patient care, but they must be able to share PHI securely. That’s where Situational ePHI Awareness comes in, both before and after a PHI cybersecurity incident.

Tausight is a Situational ePHI Awareness solution that provides a consolidated, real-time view of structured and unstructured ePHI, with 24/7 telemetry and reporting on PHI activity. When you know where your PHI exists and its potential risk, you can take the appropriate measures to ensure PHI compliance.

Additionally, Tausight’s immutable, off-site audit trail provides forensic-level detail across all endpoints throughout the healthcare ecosystem, giving you the information needed to quickly reconstruct a security incident and reconstitute your systems should a PHI cybersecurity incident occur. Contact us today to see how ePHI visibility can help you improve your organization’s cybersecurity.

profile photo of David Ting

David Ting

Founder and CTO, Tausight

Related Articles