When you have a breach of Protected Health Information (PHI) the practice will have to notify the affected patients, Health and Human Services (HHS) and potentially other parties. The timing is critical. This month we will review notification requirements.
Patient Notification
You must provide notice to each affected patient in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If you have insufficient or out-of-date contact information for 10 or more individuals, you must provide substitute individual notice by either posting the notice on the home page of your practice web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the bad contact information is for fewer than 10 individuals, you may provide substitute notice by telephone or other means.
These patient notifications must be sent as soon as possible and in no later than 60 days following the discovery of a breach. The letter must include a brief description of the breach, a description of the types of information that were involved, the steps patients should take to protect themselves from potential harm, a brief description of what you are doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for questions. If you have patients affected that are not in your calling zone or patients you haven’t been able to contact directly you must include a toll-free phone number that remains active for at least 90 days.
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances. It helps to have clear cut responsibilities included in the Business Associate Agreement.
Media Notice
If a breach affects more than 500 residents of a state or jurisdiction, in addition to notifying the affected patients, you must notify prominent media outlets serving the affected area. The usual method for this notification is a press release. Like the individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
Health and Human Services Notification
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify HHS by going to their website and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify HHS no later than 60 days following a breach discovery. Reports of breaches affecting fewer than 500 individuals are due to HHS no later than 60 days after the end of the calendar year in which the breaches are discovered (as of March 1, 2016).
Next month we will discuss the notification letter in more detail.