For health care providers nationwide, few laws raise more compliance concerns than the Health Insurance Portability and Accountability Act (HIPAA). Enacted in 1996, HIPAA changed the way that health care providers managed virtually all aspects of their businesses; and constant updates and new regulations over the past 20-plus years have forced all types of providers to regularly reevaluate and revise their HIPAA compliance programs.
One of the most notable additions to the HIPAA compliance regime is the Breach Notification Rule (45 CFR Section 164.400-414), which took effect in 2009 and underwent substantial revisions in 2013. Under the Breach Notification Rule, when a health care provider experiences a breach of confidentiality affecting protected health information (PHI), the providers must affirmatively demonstrate that it has taken adequate steps to remedy the breach to the U.S. Department of Health and Human Services (DHHS). Proving adequate remedial efforts can prevent (or at least mitigate) liability for the breach while failing to undertake necessary steps in a timely manner can lead to substantial consequences.
Understanding HIPAA’s Breach Notification Rule
The Federal Privacy Council (FPC) briefly summarizes the HIPAA Breach Notification Rule (and related statutory provisions that apply to third-party service providers) as follows:
“The HIPAA Breach Notification Rule, 45 C.F.R. 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third-party service providers, pursuant to section 13407 of [Health Information Technology for Economic and Clinical Health (HITECH) Act] and the Genetic Information Nondiscrimination Act (GINA).”
The full text of the rule, however, shows that there is much more than health care providers need to know. The breach notification requirement is spelled out in Section 164.404(a):
“A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.”
Interpreting this obligation requires further understanding of the defined terms used in the regulatory language. These terms include:
- “Breach” Section 164.402 of the Breach Notification Rule defines a breach as, “the acquisition, access, use, or disclosure of protected health information in a manner not permitted . . . which compromises the security or privacy of the protected health information. . . . For purposes of this definition, compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”
- “Covered Entity” Under HIPAA, covered entities include health care providers (such as doctors, clinics, nursing homes, and pharmacies); health plans (including health insurance companies, HMOs, company health plans, and government benefit programs); and health care clearinghouses.
- “Protected Health Information” 45 CFR Section 160.103 under HIPAA defines protected health information as, “individually identifiable health information transmitted or maintained by a covered entity or its business associates in any form or medium.”
- “Unsecured Protected Health Information” Section 164.402 of the Breach Notification Rule defines unsecured protected health information as, “protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5 on the HHS Web site.”
Clearly, there are still some holes left to be filled. But, for purposes of a general overview of what health care providers need to know about breach notification under HIPAA, these definitions help to clarify both (i) which health care providers are subject to HIPAA’s Breach Notification Rule, and (ii) when breach notification is required.
Disclosure Obligations Under HIPAA’s Breach Notification Rule
If you experience a breach of unsecured protected health information, what are your obligations under HIPAA? Following a breach, health care providers must provide notice to (i) affected patients, (ii) the Secretary of DHHS, and (iii) in certain circumstances, the media.
1. Notification to Affected Patients
In all cases, covered entities must provide notice to the patients whose protected health information has been compromised. Generally speaking, this notice must be provided by first-class mail, or by email if a patient has consented to electronic notifications. However, there are various special requirements and conditions that apply. For example:
- All affected patients must be notified “without unreasonable delay,” and in any case within 60 days of discovery of the breach.
- If a covered entity lacks current contact information for fewer than 10 affected patients, it must provide substitute notice in an alternate written form, by telephone, or by other suitable means.
- If a covered entity lacks current contact information for 10 or more affected patients, it must provide substitute notice on its home page for at least 90 days or in “major print or broadcast media where the affected individuals likely reside.”
- All notices must include: (i) a description of the breach, (ii) a description of the types of information that were compromised, (iii) steps patients can take to protect themselves, and (iv) a summary of the covered entity’s response.
2. Notification to the Secretary of DHHS
Notification to the Secretary of DHHS must be done through the electronic submission form on DHHS’s website. Any breach affecting 500 or more patients must be reported to DHHS within 60 days, while breaches affecting fewer than 500 patients can be reported on an annual basis within 60 days of the end of the calendar year.
3. Notification to the Media
In the case of a large-scale breach, a covered entity may have a legal obligation to disclose the breach to the media as well. As summarized by DHHS:
“Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.”
Penalties for HIPAA Breach Notification Violations
HIPAA includes both civil and criminal enforcement provisions, and these provisions apply to breach notification violations as well as other violations of the law. The penalty structure under HIPAA is outlined below.
Criminal Penalties Under HIPAA
The following criminal penalties apply if an entity or other individual discloses a covered entity’s protected health information without authorization:
- Knowingly obtaining PHI in violation of the law: $50,000 fine and one year in prison
- Committing a violation under false pretenses: $100,000 fine and five years in prison
- Committing a violation for commercial gain, personal gain, or malicious harm: $250,000 fine and 10 years in prison
Civil Penalties Under HIPAA
Many alleged breach notification violations are prosecuted as civil infractions; and, if your business or practice is exposed due to a PHI breach (or an inadequate response), it is critical to hire experienced legal counsel who can seek to keep your case civil in nature. The potential civil penalties under HIPAA include:
- Did not know and did not have reason to know of the violation: $100 to $50,000 fine per violation up to $1.5 million per year
- Violation due to reasonable cause: $1,000 to $50,000 fine per violation up to $1.5 million per year
- Violation due to willful neglect corrected within 30 days: $10,000 to $50,000 fine per violation up to $1.5 million per year
- Violation due to willful neglect not corrected within 30 days: A minimum $50,000 fine per violation up to $1.5 million per year
DHHS has indicated that both, “[failure] to implement any policies and procedures to reasonably and appropriately safeguard [protected health information],” and “[failure] . . . to respond to incidents as required by [the Breach Notification Rule],” may be considered “willful neglect” for purposes of the civil penalty structure under HIPAA.
Tips for Avoiding Liability Due to HIPAA Breach Notification Violations
What can you do to avoid your risk of criminal or civil liability as a result of a breach of protected health information? While all covered entities should adopt comprehensive compliance programs that are custom-tailored to their unique operations, infrastructure, and field of practice, there are some general tips that apply across-the-board.
- Don’t just have, but actively update and communicate HIPAA compliance policies within your organization.
- Ensure that all personnel receive adequate training on HIPAA compliance and your organization’s burdens regarding the protection of PHI.
- Take all potential breaches seriously, and do not dismiss a potential threat until it has been fully resolved.
- If a breach is discovered, take immediate action. Do not wait for the 60-day notification deadline to approach, and do not underestimate the consequences of an inadequate response.
- Seek help from a health care law firm with specific experience in HIPAA-related matters and in civil and criminal enforcement proceedings involving DHHS.
Contact a HIPAA Compliance Attorney
If you would like more information about your health care business’s privacy breach notification duties under HIPAA, you can contact The Criminal Defense Firm for a free consultation. To speak with one of our experienced health care law attorneys in confidence, please call (888) 452-2503 or request an appointment online today.
Dr. Nick Oberheiden is a national litigation and trial criminal defense attorney who practices exclusively in the area of federal law.