Breach Notifications

HITECH expects organization to take reasonable steps to detect breaches. This means an organization can’t justifiably claim a notification wasn’t made because the breach was undetected if there were reasonable steps the organization could have taken that would have led to the discovery of the breach.  

Circumstances Where Notification is Required

Covered entities or business associates who interact with PHI in the following ways must notify each individual whose PHI has been (or is reasonably believed to be) impacted by a discovered breach within 60 calendar days:

    1. Accesses
    2. Maintains
    3. Retains
    4. Modifies
    5. Records
    6. Stores
    7. Destroys
    8. Or otherwise:
      1. Holds
      2. Uses
      3. Discloses

In short, if an organization interacts with PHI and that PHI is involved in a breach, that organization is required to notify the individuals impacted by the breach.   

HITECH5How to Notify Individuals, the Media, and the Secretary of the US Department of Health and Human Services (DHHS)

In notifying individuals, organizations are to send notification via either first-class mail or if a mailing address is not available for the individual:

  • Email
  • Phone number
  • Easily noticeable statement on the organization’s homepage

If a breach involves more than 500 residents in a given State/jurisdiction, the organization must notify prominent media outlets in the affected area.

Organizations are to notify the Secretary of DHHS each year of all breaches involving PHI, unless the breach involves more than 500 individuals. In that situation, the Secretary is to be notified immediately. The Secretary also keeps a list identifying each covered entity involved in these large breaches on the DHHS’s website. 

Information to be Included in a Notification

Regardless of how individuals are notified of a breach, the notification is to include (to the extent possible):

  • A brief description of what happened, when it happened, and when it was discovered
  • A description of the types of unsecured PHI involved. For example:
    • Full name
    • Social security number
    • Date of birth
    • Home address
    • Account number
    • Disability code
    • Etc.
  • The steps individuals should take to protect themselves from potential harm resulting from the breach
  • A brief description of what the covered entity is doing to investigate the breach, mitigate losses, and to protect against any further breaches
  • Contact information individuals can use to ask questions or learn additional information, which is to include a(n):
    • Toll-free number
    • Email address
    • Website
    • Postal address

Notifications and Law Enforcement

If a law enforcement official determines that a notification of a breach would impede a criminal investigation or cause damage to nation security, notifications of the breach are to be delayed.

Fines

Important Definitions Related to Violations & Fines

As used in this subpart, the following terms have the following meanings:

Reasonable cause

  • An act or omission in which a covered entity or business associate knew (or should have known) was in violation of this act, but in which the covered entity or business associate did not act with willful neglect

Reasonable diligence

  • The business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances

Willful neglect

  • Conscious, intentional failure or reckless indifference to the obligation to comply with this act

When Fines Can be Levied

  1. If a covered entity or business associate has violated HIPAA, the US Government can impose a monetary fine on the offending organization
  2. If a violation is committed by more than one covered entity or business associate:
    1. Each offending organization can be fined
    2. If a covered entity is part of an affiliated covered entity, the affiliates are jointly liable unless it’s found that a member of the affiliation was responsible for the violation
  3. A covered entity will be found in violation of HIPAA even in situations where the violation was committed by any of the following acting within the scope of the covered entity:
    1. An agent of the covered entity
    2. A workforce member
    3. Subcontractor
    4. Business associate

Factors Considered When Determining Fine Amounts

The US Government considers the following factors when determining the amount of fines:

  • The nature and extent of the violation, including:
    • The number of affected individuals
    • The time period when the violation occurred
  • The nature and extent of the harm caused by the violation, including:
    • If the violation caused physical harm
    • If the violation resulted in financial harm
    • If the violation harmed an individual’s reputation
    • If the violation hindered an individual’s ability to obtain health care
  • Any previous violations, including:
    • If the violation has happened (or appeared to have happened) before
    • If the covered entity or business associate has attempted to correct previous indications of noncompliance
    • If the covered entity or business associate has responded to technical assistance from the Secretary
    • How the covered entity or business associate has responded to prior complaints
  • The financial condition of the covered entity or business associate, including:
    • If the covered entity or business associate has had financial difficulties, affecting its ability to comply
    • If a civil money penalty would jeopardize the ability of the covered entity or business associate to continue to provide or pay for health care
    • The size of the covered entity or business associate
  • Other matters as justice may require

Fine Amounts

Fines can be up to the following amounts:

  • For a violation where the covered entity or business associate did not know (and would not have known through reasonable efforts) they were in violation:
    • Between $100 - $50,000 per violation
    • No more than $1,500,000 for identical violations during a calendar year (i.e., January 1 - December 31)
  • For a violation stemming from reasonable cause and not willful neglect:
    • Between $1,000 - $50,000 per violation
    • No more than $1,500,000 for identical violations during a calendar year
  • For a violation stemming from willful neglect and were corrected within 30 days (from discovery of the issue) or should have known the violation occurred:
    • Less than $10,000 or more than $50,000 for each violation
    • No more than $1,500,000 for identical violations during a calendar year
  • For a violation stemming from willful neglect and that was not corrected within 30 days (from discovery of the issue) or should have known:
    • Min. of $50,000 for each violation
    •  No more than $1,500,000 for identical violations during a calendar year
  • If a requirement or prohibition in one administrative simplification provision is repeated in a more general form in another provision, a civil money penalty may be imposed for violating only one of the provisions

What Your Organization Can Do

In order to comply with HIPAA & HITECH, your organization should:

  1. Consult with the appropriate experts, including your organization’s legal counsel, to determine if HIPAA & HITECH applies to your organization
  2. Assess if your organization is currently handling PHI
  3. Implement a process so if your organization begins handling PHI, your organization can be HIPAA & HITECH compliant the first day it begins handling that information
  4. Have your personnel read our compliance articles on HIPAA & HITECH