When a breach occurs that compromises the confidentiality, integrity, or availability of protected health information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities and their business associates report the breach to affected individuals, to the Department of Health and Human Services (HHS), and in some cases, to the media.
If a breach occurs within a business associate (such as a third-party vendor handling PHI), they must notify the covered entity promptly, as the covered entity is ultimately responsible for reporting the breach.
Steps and Requirements for Reporting a HIPAA Breach
Determine if a breach occurred
A breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. Not all incidents that involve PHI are considered breaches (for example, unintentional access by an employee within their scope of employment).
The Risk Assessment process is required to assess if the breach poses a significant risk of harm to the individuals. This includes evaluating the nature of the PHI involved, whether it was acquired or viewed, and the likelihood of re-identification of the data.
Notify Affected Individuals
Individuals must be notified within 60 days of discovering the breach. The notification should include:
- A description of the breach
- The types of PHI involved
- Steps affected individuals can take to protect themselves
- Actions taken to investigate and mitigate the breach
- Contact information for further inquiries
Notify the Department of Health and Human Services (HHS)
If the breach affects 500 or more individuals, the breach must be reported to the HHS within 60 days. The report is made using the HHS breach portal.
For breaches involving fewer than 500 individuals, the covered entity can submit an annual summary of all breaches by March 1 of the following year.
Notify the Media
If a breach involves more than 500 residents of a state or jurisdiction, the entity must notify prominent media outlets serving that area. This is also to be done within 60 days of discovering the breach.
Employer Considerations
- Timeliness: Timely reporting is critical. Failure to report breaches within the required time frames can lead to penalties and fines.
- Documentation: Covered entities should keep detailed documentation of the breach and the actions taken to mitigate it. This is essential in the event of an audit or investigation by HHS.
- Penalties: The penalties for non-compliance with breach reporting requirements can be substantial, ranging from $100 to $50,000 per violation, with a maximum annual penalty of $1.5 million for willful neglect cases.