As we have reported in prior articles, the HITECH Amendments to HIPAA require covered entities to provide notice to an individual if the covered entity determines that the individual’s unsecured, electronic Protected Health Information (PHI) has been breached. The determination of a breach is made according to standards set forth in the HITECH amendment.
If there is a breach of unsecured, electronic PHI, the individual must receive notice of the breach as soon as reasonably possible, but no later than 60 days after the date the breach is discovered, even if discovered by someone other than the covered entity. BAS can assist with distributing any required breach notification communications.
The notice must be written in plain English and must contain:
a) A description of the breach,
b) Detail of the unsecured, electronic PHI that was compromised,
c) Action taken to prevent harm,
d) A description of the covered entity’s action to investigate and/or mitigate any harm, and
e) Contact information for follow up questions.
The notice should be sent by first class mail, but may be sent electronically if the individual has previously agreed to receive notification by email. If the covered entity does not have sufficient contact information or has outdated contact information for the individual (frequently referred to as a “lost” individual), notice may be provided by alternate methods, depending on the number of lost individuals. For 10 or more lost individuals, a covered entity can meet the notification requirements by posting the notice on the covered entity’s home page or providing notice to major print and broadcast media in the areas where affected individuals are likely to be residing. For 9 or fewer lost individuals, the covered entity may provide substitute notice by other reasonable means, including telephone.
Breach notification can be a time-sensitive process. Having established policies, procedures and sample notifications in place can greatly assist in meeting notification deadlines.
If you have any questions about HIPAA Breach Notifications, please contact us at PR@BASusa.com.
