HIPAA, Security Incidents, and Reportable Events
In the interconnected world of digital health information, safeguarding Protected Health Information is paramount. Healthcare providers must legally follow the Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy and maintain trust, and this compliance includes understanding what it means to identify and deal with security incidents.
Among these, the concepts of security incidents, reportable events, and the implementation of the Breach Notification Rule are particularly critical. These aspects of HIPAA are at the heart of ensuring that health information remains confidential and that violations are promptly addressed and communicated appropriately.
This article explains the obligations of HIPAA-covered entities and their business associates under the Breach Notification Rule regarding reportable events. We will explore how to identify security incidents, determine their severity, ascertain if they constitute a reportable event, and understand the necessary steps for notification during a breach.
What Is a HIPAA Security Incident?
A HIPAA security incident refers to an event that could potentially compromise the security or privacy of the Protected Health Information.
Under HIPAA, organizations that deal with PHI are required to protect it with sufficient technical, physical, and administrative measures. If these measures are threatened with potential breach (that is, if there is a possibility that PHI has been accessed or disclosed by or to an unauthorized individual), it is considered a security incident.
If a HIPAA security incident occurs, the covered entity or business associate must thoroughly document and investigate the incident. Suppose the incident is a breach (see reportable instances). In that case, the organization must notify the HHS and follow additional requirements from the Breach Notification Rule where applicable.
What Is a HIPAA Reportable Event?
A “reportable event” under HIPAA refers explicitly to a breach of unsecured protected health information–or, in this case, PHI that hasn’t been protected via security or encryption.
Some examples of these breaches might include:
- Unauthorized access of PHI by an employee.
- Theft or loss of devices that contain PHI.
- Unauthorized disclosure of PHI (for example, sending PHI to the wrong recipient).
- Cyberattacks that lead to the exposure or potential exposure of PHI.
Under these events, PHI has been disclosed to unauthorized parties (or, at least, there is a high likelihood this is so).
Are All Security Incidents Reportable Events?
Not all HIPAA security incidents are reportable events. While, by and large, CEs and BAs must document, investigate, and report incidents, there are exceptions.
These exceptions include:
- Unintentional Acquisition: If the unauthorized person accidentally receives the information as part of their routine, authorized responsibilities, and they do not further distribute it outside of HIPAA requirements.
- Inability to Retain: If the unauthorized person who received the PHI would not reasonably have been able to retain such information.
- Inadvertent Disclosure: If the unauthorized disclosure of PHI was to another person at the same facility subject to the same privacy rules, and the information isn’t further used or disclosed in a manner not permitted by the Privacy Rule.
In general, when a security incident occurs, the covered entity (or its business associate) must investigate if a breach has occurred and whether it’s reportable. They must assess the probability of data compromise based on the scope and scale of the incident, compare against potential exceptions, and make determinations about whether or not it stands as a reportable event.
What Is the Breach Notification Rule?
Under the Breach Notification Rule, CEs have several responsibilities when a breach of unsecured protected health information (PHI) has occurred.
Here are some of the primary responsibilities that CEs and BAs might take on following a reportable event:
- Discovery of Breach: Covered entities must have procedures to identify when a breach occurred. A breach is considered “discovered” as of the first day it is known or could have been reasonably known had proper HIPAA measures been implemented by an employee or agent of the organization.
- Risk Assessment: Upon discovering a potential breach, the covered entity is responsible for conducting a risk assessment to determine if PHI has been compromised.
- Notification to Individuals: If the breach involves more than 500 patients, the covered entity must notify each affected individual without unreasonable delay (no later than 60 days after discovery of the breach). The notification should be provided in writing, sent by first-class mail or email, and must include details of the breach, types of information involved, what the CE is doing to investigate and mitigate the breach, the steps individuals should take to protect themselves, and contact information for questions.
- Notification to the Secretary of HHS: If a breach involves 500 or more patients, the organization must notify the HHS no later than 60 days after discovery of the breach. If a breach involves fewer than 500 individuals, the covered entity may report it to the Secretary annually.
- Notification to the Media: For breaches involving 500 or more individuals in a specific jurisdiction or state, the covered entity must also notify prominent media outlets serving the state or jurisdiction.
- Business Associates: If a breach of unsecured PHI occurs at or by a business associate, the covered entity must ensure that the business associate notifies the covered entity promptly so that the covered entity can fulfill its notification obligations.
- Breach Log: Covered entities are required to maintain a log or other documentation of breaches of unsecured PHI, including breaches that involve fewer than 500 individuals.
How Can I Identify Reportable Events?
Identifying a reportable event under HIPAA primarily involves recognizing when a breach of unsecured protected health information (PHI) has occurred and requires notification. Here are the steps an organization can take to identify a reportable event:
- Detecting a Security Incident: Detection of breaches can occur through several different methods, such as cybersecurity tools, employee reports, risk assessments, vulnerability scans, or audits.
- Conducting a Risk Assessment: Once a security incident is detected, the organization should conduct a risk assessment that considers the factors of the breach and how to address them in the future.
- Determining if There Are Exceptions: if any of the exceptions apply (unexpected access, unintended disclosure, or inability to retain), then there can be considered mitigating factors for reporting.
- Notifying the Necessary Parties: If a breach is confirmed and no exceptions apply, it’s considered a reportable event, and the organization must follow the Breach Notification Rule to notify the affected individuals, the HHS, and in some cases, local media.
Always Be Prepared for HIPAA Breaches with Lazarus Alliance
Security incidents and breaches occur. It’s a fact of business. But, the difference between a low-stress security incident and a massive breach that could cost your company significantly is a dedication to HIPAA requirements around reporting and notifications.
Fill out this form to learn more about how Lazarus Alliance can help you with HIPAA compliance.