Get certified in HIPAA for Leaders for just $49.95.
To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video
So, your worst nightmare has just happened. There’s been a data breach, or a HIPAA violation, and you need to take action. Let’s now go over the steps that you must take now that the breach has occurred. 1. Let’s notify your privacy or compliance officer. 2. We must initiate a data breach risk assessment. 3. We must notify impacted individuals within the required time-frame. 4. Provide a formal report to HHS within 60 days, unless your state law requires it sooner. 5. Notify local media if the breach impacted more than 500 individuals. The HIPAA regulation requires you to notify the impacted individuals within 60 days. However, multiple states like Texas, Wisconsin, North Carolina, and Alabama have more stringent laws that require less than 60 days notification with many other states following suit. So time is of the essence. The privacy officer must initiate a data breach risk assessment to determine what PHI has been breached and how many individuals have been impacted. A formal report must be compiled and reported to the HHS within 60 days. You must also notify all individuals impacted by the breach within the same amount of time. However if the state law is more stringent, you must abide by the state law. The media notice rule requires covered entities to report the breach of 500 or more individuals to the local news outlets. Your privacy officer will need to contact local TV and newspaper outlets and provide a notification. The notification must include a brief description of the breach, a description of the types of information that was involved in the breach and the steps affected individuals should take to protect themselves. It must also include a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches. If the covered entity has insufficient or out-of-date contact information for ten or more individuals, the covered entity must substitute individual notice by either posting the notice on their web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside.
In this lesson, we're going to tackle your worst nightmare – there's been a data breach or HIPAA violation and you need to take action. We'll provide you with the necessary steps to handle such an event, and at the end of the lesson, we'll provide you with a few more details about the HIPAA Breach Notification Rule.
Let's assume your business or organization has had a breach. These are the steps you need to take now that the breach has occurred.
Pro Tip #1: HIPAA regulations require you to notify impacted individuals within 60 days. However, multiple states like Texas, Wisconsin, North Carolina, Alabama, and others have more stringent laws that require notification to take place more quickly. Other states appear to be following suit. So, the moral of the story: Time is of the essence.
Once your privacy officer has been alerted of the breach, he or she must initiate a data breach risk assessment to determine what PHI was breached and how many individuals have been affected.
A formal report must be compiled and reported to the HHS within 60 days. You also must notify all impacted individuals within the same amount of time. However, if your state law is more stringent, you must abide by the state law.
The media notice rule requires covered entities to report breaches that involved more than 500 individuals to local news outlets. If dealing with this size of breach, your privacy officer would need to contact local television and newspaper outlets and provide a notification of the breach.
Here is just some of the information that a breach notification should include:
Pro Tip #2: If a covered entity has insufficient or out of date contact information for 10 or more individuals, the covered entity must substitute an individual notice by either posting a notice on their website for at least 90 days or by providing the breach notification to all major media outlets in the areas affected.
The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of ePHI and issue a notice to the media if the breach affects more than 500 patients.
There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports to be made annually.
Breach notifications should include the following information:
Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach. When notifying a patient of a breach, the covered entity must inform the individual of the steps they should take to protect themselves from potential harm, include a brief description of what the covered entity is doing to investigate the breach and the actions taken so far to prevent further breaches and security incidents.