A “breach” – when used in the context of describing the Health Insurance Portability and Accountability Act (HIPAA) – involves the impermissible use and/or disclosure of protected health information. When this occurs, the employer is responsible for notifying the affected parties. Failure to follow the proper protocol regarding HIPAA breaches could result in fines or other consequences.
It's important to note that some cases involving the impermissible use or disclose of a patient's health information isn't necessarily classified as a HIPAA breach. Under the final rule, the employer must be able to convey that there's a low risk the health information was compromised. This is done by performing a risk of assessment based on the nature/severity of the incident; identifying the person or people who accessed the protected health information; whether or not the protected health information was used or even viewed; and risk management of the affected patient's protected health information.
According to the Health and Human Services (HHS) website, there are three exceptions to the HIPAA breach rule:
- An employee unintentionally accessed the protected health information.
- The unintentional disclosure of protected health information by an employee or person who's authorized to access such information to a covered party.
- The person or people who disclosed the protected health information was unable to retain the data.
When a HIPAA breach occurs, the covered entities must notify the affected parties of the impermissible use or disclosure of their protected health information via a written letter sent by First Class mail or electronically through email. Notifications must be sent within 60 days of discovery of the breach and include a description of the incident, how it happened, what information was disclosed, how the individual should further protect their data, and how the covered entity is investing the issue to prevent future instances.
Covered entities aren't out of the woods just yet. HIPAA states that employers must notify both the affected individual, as well as the Secretary. For more information on how to notify the Secretary, visit http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.
Lastly, if the breach is believed to affected 500 or more residents in a state or jurisdiction, the covered entity must also notify the media. There are several different methods in which to notify the media, the most common being a press release to local news affiliates in the respective area. This notification must also be went within 60 days of the breach's discovery.