Notification Requirements When a Breach of Patient Information Occurs

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires covered entities, such as physicians and health plans, to notify individuals when their unsecured health information is breached. Covered entities must submit an annual report to the Secretary of Health and Human Services regarding all breaches that occur, making diligent documentation crucial.

The Department of Health and Human Services (HHS) issued guidance on proper encryption and data destruction methods in 2009, which was updated in 2013. The guidance outlines how to ensure protected health information is unusable, unreadable, or indecipherable to hackers and identity thieves. “Unsecured protected health information” is information not protected using the methods specified by HHS. It is important to note that if this guidance is followed, covered entities are not subject to notification procedures in the event of a breach.

In 2013, the definition of breach under the law was changed considerably. The old rule defined breach as the “unauthorized acquisition, access, use or disclosure of protected health information” which poses a significant risk to the individual. Under the new rule, a breach is presumed to have occurred regardless of whether it poses a significant risk, unless a four-pronged risk analysis can prove there is a low probability that the patient’s information was compromised.

The HITECH Act requires that patients be notified of any breaches that involve their unsecured information. This notification must be issued without unreasonable delay and within 60 days of the discovery of the breach. The notice must contain:

  • A brief description of what occurred, including the date of the breach and the date of the discovery of the breach
  • A description of the types of information involved
  • Steps individuals should take to protect themselves
  • What actions the entity has taken to investigate the breach and mitigate harm
  • Contact information, including a toll-free phone number

If an entity does not have contact information for patients, alternate methods must be used. Where less than 10 individuals are affected, notice can be written or by telephone. For more than 10 individuals, the covered entity must provide substitute notice through an online posting or in print or broadcast media, and provide a toll-free information line. When the breach is more widespread, a covered entity may need to notify the secretary of HHS or notify local media outlets.

Compliance with health care regulations is challenging, especially since the legal and technological landscapes are constantly changing. An experienced health care compliance attorney can provide health care professionals with skilled legal guidance.

Tagged with: , , ,

Posted in: Compliance