2.1 Workflow Breach Notification in HIPAA Covered Entities

Section 2.1 Utilize – Implement

Section 2.1 Utilize – Implement – Workflow Breach Notification in HIPAA Covered Entities - 1

Workflow Breach Notification in HIPAA Covered Entities

Health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must notify individuals when their health information is breached. The regulations outline how quickly and by what means you need to communicate the breach. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

Instructions for Use

1.  Review the information to understand what constitutes a breach.

2.  If a breach occurs, follow this algorithm to appropriately manage the breach and notify impacted individuals and organizations, and potentially the U.S. Department of Health and Human Services (HHS) and the media.

Breach Notification Workflow

1.  Discovery of paper-based or electronic security incident. Discovery of breach (or date when entity should have known of breach) starts 60-day clock for notification

a.  Determine if there was acquisition, access, use, or disclosure of protected health information (PHI) that compromises the security or privacy of PHI

i.  Poses a significant risk of financial, reputational, or other harm to the individual

ii.  De-identified data is excluded

2.  Determine if PHI:

a.  Secured (i.e., encrypted, destroyed or de-identified), breach notification may not be required

b.  Unsecured PHI, determine if exception applies

3.  If unsecured, notification not required if:

a.  Unintentional access by member of covered entity (CE) or business associate (BA) workforce

b.  Inadvertent disclosure to person at same CE or BA and no further use or disclosure in violation of Privacy Rule

c.  Disclosure where CE or BA believes unauthorized recipient would be unable to retain PHI

4.  Delay notification if law enforcement agencies have requested delay where notification may hinder investigation

5.  Determine if breach may result in imminent misuse of unsecured PHI, in which case CE should notify individuals by telephone or other means in addition to written notice

6.  Send notification letters via first-class mail within 60 days of breach discovery

a.  Record breach in a log. If fewer than 500 individuals affected, report breach annually

b.  If 500 or more individuals affected, notify HHS: http://transparency.cit.nih.gov/breach/index.cfm

c.  If 500 or more live within one state, send a press release to major media outlets

d.  If 10 or more letters returned due to out-of-date or insufficient contact information, provide substitute notice (e.g., email, website notice, major print, or broadcast media)

7.  Notice must be in plain language and include:

a.  Description of breach, date of breach, and date of discovery

b.  Description of types of information breached

c.  Steps individuals should take to protect themselves

d.  Description of what CE is doing to mitigate harm and protect against further breaches

e.  Contact procedures for individuals to ask questions, including toll-free number, email address, web site, or postal address

Copyright © 2011 Stratis Health. Funded by Chiropractic Care of Minnesota, Inc. (ChiroCare), www.chirocare.com

Adapted from Stratis Health’s Doctor’s Office Quality – Information Technology Toolkit, © 2005, developed by Margret\A Consulting, LLC. and produced under contract with the Centers for Medicare & Medicaid Services (CMS), an agency of the U.S. Department of Health and Human Services.

For support using the toolkit

Stratis Health Health Information Technology Services

952-854-3306

www.stratishealth.org

Section 2.1 Utilize – Implement – Workflow Breach Notification in HIPAA Covered Entities - 2