Learn all about the HIPAA breach notification rules and how you can best protect your business by being ready to comply with anticipated 2021 HIPAA breach notification rules.

The HIPAA (Health Insurance Portability and Accountability Act) breach notification rules spell out how hospital systems, physicians, and other healthcare providers must notify their patients, as well as the U.S. Department of Health & Human Services (HHS), if those healthcare providers experience a data breach that affects patient information protected by HIPAA. 

A breach could include unsecured protected health information (PHI) or sensitive personal data such as names, addresses, or Social Security numbers that have fallen into the hands of unauthorized individuals, typically after a hacking or other data breach incident. 

HIPAA compliance obligations have remained essentially the same since the last update to HIPAA rules in 2013. That is about to change. Several significant updates to HIPAA are expected in 2021, making it extra important to stay on top of compliance requirements new and old.

Brief history of HIPAA breach notification rules  

One change in 2013 was passage of the HITECH (Health Information Technology for Economic and Clinical Health) Act, which applies to all health insurance and healthcare providers, as well as their third-party contractors. HITECH mandated the notification requirements we know today. 

Shortly after onset of the COVID pandemic, the U.S. Congress passed the Corona Aid, Relief, and Economic Securities (CARES) Act. One main objective of the CARES Act was to ensure access to healthcare during the pandemic, including access to treatment for substance abuse disorders (SUD). 

Expected in 2021 are changes to federal regulations regarding how healthcare providers and health insurance companies treat records of patients with SUD and mental health issues, as well as regulatory protection specific to the sharing and safe-keeping of these two types of health records. 

HHS is considering changes that would allow for the sharing of SUD records with primary care physicians, both to provide better care for the patient and also to stop a physician from prescribing opioids to a patient already in treatment for such an addiction. These changes will also bring new HIPAA breach notification rules, as more patients will be covered by them. 

What triggers the HIPAA breach notification rule? 

Under the HIPAA Privacy Rule, a breach is an impermissible use or disclosure of unsecured PHI (for example, unencrypted PHI) that compromises the security or privacy of the protected health information. The nature and size of the breach trigger the corresponding HIPAA breach notification rule. 

Interestingly, HIPAA only requires notifications of breaches for PHI that is not secured. So the first step toward avoiding a fine is to make sure covered entities and their business associates use appropriate encryption and destruction techniques to assure that PHI is unusable, unreadable, or indecipherable should that data fall into the clutches of an unauthorized person. 

Who is covered by breach notification rules?

Covered entities include health plans, healthcare providers, healthcare clearinghouses, health insurance companies, and individual providers; as well as their business associates. Outpatient facilities and pharmacies are also considered covered entities. 

A business associate is defined as any company or individual — other than a workforce member of a covered entity — that does work for a covered entity, no matter what type of work the contractor provides. 

What qualifies as a breach?

Any impermissible use or disclosure of PHI is considered a breach unless the covered entity or business associate can show that there’s a low probability the PHI has been compromised. That conclusion must be based on a risk assessment of certain factors, including: 

  • The nature and detail of the PHI, including the types of identifiers and the likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed, or the unauthorized access was an attempted data breach of unsecured PHI that didn’t succeed. 
  • The extent to which the risk to the PHI has been mitigated, and plans and cybersecurity software have been put in place to help with the discovery of breaches in the future. 

What are the breach notification duties?

After discovery of large breaches, a business must comply with HIPAA breach notification rules and meet notification requirements within 60 days

Once a covered entity knows or should have known that a breach of PHI occurred (referred to as the “date of discovery”), the keeper of the data is required to notify the affected individuals, HHS, and prominent media outlets. 

The covered entity has to do this “without unreasonable delay” or before 60 calendar days after it discovered the breach. That applies even if the organization wasn’t entirely certain the PHI had been compromised at the time it discovered the breach.  

If the breach involves the unsecured PHI of more than 500 people, a covered entity must notify a major print or broadcast media outlet in the state or jurisdiction where the breach occurred, and still notify HHS. 

Enforcement, fines and penalties 

The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. The OCR may issue civil monetary penalties for violations of the rules. In cases of egregious neglect of data security, the U.S. Department of Justice may file criminal charges. The OCR also posts the names of entities with breaches involving more than 500 people on its “wall of shame.”

According to HHS, the federal agency has received more than 259,972 HIPAA complaints, and has initiated 1,073 compliance reviews, since the privacy rule took effect in 2003. HHS reports having solved 99 percent of the cases brought forth. 

According to HHS’s website, HHS.GOV, the most common violations leading to a HIPAA investigation in descending order are: 

  • Impermissible use and sharing of unsecured PHI 
  • Lack of cybersecurity and encryption applied to protect the information
  • Lack of or denying patients access to PHI
  • Lack of security systems put in place to protect electronically protected health information
  • Disclosure of too much PHI (see above about substance abuse treatment)

Roughly $135.3 million has been collected in fines since 2003. 

What about smaller breaches?

For breaches involving fewer than 500 people, a covered entity can keep a log of the relevant information and notify HHS within 60 days after the end of the calendar year via the HHS website.

The covered entity and its business associates must also make any required reports available to HHS and the affected individuals. Notification to individuals must be sent via first class mail, or email if the individuals have agreed to accept notices electronically. 

If a covered entity doesn’t have contact information for 10 or more individuals, it must either post a notice on the homepage of its website or make it available on major print or broadcast media located in the geographical area where affected individuals likely live.

How to determine if your business must be HIPAA compliant

The HIPAA Journal has published an updated compliance checklist for 2021 by compiling compliance demands of the HIPAA Privacy and Security Rules, HIPAA Breach Notification rules, the HITECH Act and HIPAA Enforcement Rules. 

The list will help you determine whether your business must comply with HIPAA compliance guidelines. The steps included are: 

  • Determine which audits are applicable to your business and how frequently they should be done. 
  • Conduct said audits and document any deficiencies. 
  • Make plans for mediation in case of the discovery of a breach.
  • Assign a HIPAA compliance officer and needed staff. 
  • Implement a HIPAA training program and document your staff’s participation. 
  • Review business associates and third party contractors

Cybersecurity and compliance management tools

As you steer your business through the pandemic and our highly interdependent world, many tools can help keep your business safe and in compliance, with your information secure.

ZenGRC’s compliance management, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also easily identifies areas of high risk before that risk has manifested as a real threat. 

Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.