When do you notify after a HIPAA breach?
With the recent release of the HITECH rule's language on breach notification, risk managers can be left wondering when they have to notify after a breach of protected health information (PHI) in violation of the Health Insurance Portability and Accountability Act (HIPAA). Sometimes you should call the local newspaper and inform the Department of Health and Human Services (HHS), and sometimes you can just keep quiet.
So how do you know which path to follow? A close reading of the rule helps. The notification requirements for breaches and the potential penalties for noncompliance with HIPAA privacy rules were expanded under last year's HITECH Act. For HIPAA covered entities, a breach is defined as an event that "compromises the security or privacy of the protected health information," and defined further as posing "a significant risk of financial, reputational, or other harm to the individual."
That is not entirely clear, and the decision can be important. If you don't notify when you should, HHS will come after you. But if you notify when you really don't have to, you can create unnecessary stress for your patients and their families, and you could damage your hospital's reputation, all for nothing.
The changes to the breach notification rule give risk managers more flexibility but also create ambiguity. The HITECH rule finalized language that shows when notification is required after a breach of protected health information (PHI). Notice is required only if both of these conditions are met:
• There has been access to, or acquisition, use, or disclosure of PHI in violation of HIPAA.
• The violation poses a "significant risk of financial, reputational, or other harm" to the people whose PHI is involved.
• HHS states in the HITECH rule that a covered entity "will need to perform a risk assessment" to determine whether the second condition has been met but does not provide more guidance on how to make that decision.
HHS does make clear that you should be ready to justify your decision: "Covered entities and business associates must document their risk assessments so they can demonstrate, if necessary, that no breach notification was required."
(See the HITECH breach notification rule here: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html. See the HHS page on breach notification here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html.)
The exact content of the information and the manner in which it was lost will determine whether you need to notify, says Andrew Blustein, JD, an attorney with the law firm of Garfunkel Wild in New York City. Not every breach will require a notification.
"If the information says Patient 123 has a diagnosis of X, that is a HIPAA violation, because there is a patient identifier. But if someone finds that laptop and sees that information about Patient 123, with no name, you have to wonder if you've crossed that threshold," he says. "People seem to rush past what was actually disclosed and just panic over the fact that there has been a HIPAA breach."
In most cases, however, the breach will involve information that more clearly identifies the patient, Blustein says. And when the situation is not so clear, the burden is on the provider to show that the information posed no risk and required no notification.
"That's the risky part. When in doubt, you may have to go through the HITECH notification," he says. "If HHS comes in and looks at it, and if reasonable minds would differ, you're going to have to prove that your way was the reasonable way."
Blustein says the federal government's stance so far has been that if you have a name connected with a treatment, that is enough to trigger notification. That is not an official stance, he notes, but he says that has been the position of the investigators he has dealt with.