Blog
← Back to Blog
September 30, 2016 medical

You Got Breached. Now What? A Guide to HIPAA Breach Notification

Professional reviewing notification documents

Nobody plans on getting breached. But after the year we've had, every healthcare practice should understand what happens if they do. HIPAA's Breach Notification Rule has specific requirements about who you notify, how quickly, and what information you must include.

Getting this wrong can turn a manageable incident into a compliance disaster. Here's the playbook.

What Counts as a Breach

Under HIPAA, a breach is any unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) that compromises its security or privacy. That includes:

  • A stolen laptop with unencrypted patient data
  • A ransomware attack that encrypts your database
  • An employee accessing records they shouldn't
  • Misdirected emails containing patient information
  • A lost USB drive with patient files
  • A hacker gaining access to your PMS

There are exceptions for unintentional access by authorized personnel, but in general, if PHI was exposed to someone who shouldn't have seen it, it's a breach.

Who You Notify

Affected Individuals

You must notify every individual whose PHI was compromised. In writing. Via first-class mail (or email if the patient has agreed to electronic communication). The notification must include: what happened, what data was involved, what you're doing about it, what the individual can do to protect themselves, and contact information for questions.

HHS (Department of Health and Human Services)

All breaches must be reported to HHS through their online portal. For breaches affecting fewer than 500 individuals, you can report annually (by March 1 of the following year). For breaches affecting 500 or more, you must report within 60 days.

Media

If the breach affects more than 500 residents of a single state or jurisdiction, you must also notify prominent media outlets in that area. For most dental practices, this threshold is unlikely, but it's worth knowing about.

The Timeline

Individual notifications must be sent within 60 days of discovering the breach. Not 60 days from when the breach occurred, but from when you discovered it (or should have discovered it with reasonable diligence).

This means you need to detect breaches quickly. If ransomware hits your server and you don't notice for three weeks because nobody checked, the clock started when the attack happened if reasonable monitoring would have caught it earlier.

The Risk Assessment Exception

Not every incident requires full notification. HIPAA allows a risk assessment to determine if there's a "low probability" that PHI was compromised. The assessment considers four factors:

  1. The nature and extent of the PHI involved
  2. Who accessed or received the information
  3. Whether the PHI was actually viewed or acquired
  4. The extent to which the risk has been mitigated

If your risk assessment concludes that notification isn't required, document it thoroughly. OCR will want to see your reasoning if they ever ask.

What This Means for Your Practice

Have a plan before you need one. Know who in your practice is responsible for breach response. Have templates for notification letters. Know how to file with HHS. Document your incident response procedures.

The worst time to figure out HIPAA breach notification is when you're in the middle of an actual breach. Prepare now.