By:  Jennifer Kirschenbaum, Esq.

It is no surprise to read that medical practices have an obligation to maintain protected health information in certain ways and to only use and disclose such protected health information as authorized by the patient or otherwise by law.  Such requirements are set forth under the Privacy Rule.   What you may be surprised to read is that when protected health information is not maintained by a medical practice in accordance with HIPAA, notification to the patient or other sources is required pursuant to the Breach Notification Rule (45 CFR Part 164).  You may not be aware of the Breach Notification Rule because it was part of proposed modifications set forth several years ago, and many practices did not adopt the requirements of the Breach Notification Rule because the statute at that time had not been written with many teeth.

However, the Final Rule promulgated on January 25, 2013 not only modifies the Breach Notification Rule, but also incorporates significant enforcement provisions should a breach occur and not be dealt with appropriately by the practice.    Effective September 23, 2013 every medical practice is required to notify an individual of an acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule, unless the practice demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment. 

The risk assessment should address the following factors:

(i) The nature and extent of the protected health information involved;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated. 45 CFR 164.402.

Notification is required at several levels, as follows: (i) to the individual; (ii) to the media; and (iii) to the Secretary.  Each requirement will be addressed in turn below.

To the individual - Notification to the individual is required where it has been determined after a risk assessment that protected health information has been, or is reasonably believed by the practice to have been, accessed, acquired, used, or disclosed as a result of such breach.  A breach shall be treated as discovered by the practice on the first day on which such breach is actually known to the practice, or, by exercising reasonable diligence would have been known to the practice, meaning, if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity.  Notification to the individual is required no later than 60 calendar days after discovery of a breach, and in the notification the practice is required to provide, to the extent possible, the following: 

(A) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;

(B) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);

(C) Any steps individuals should take to protect themselves from potential harm resulting from the breach;

(D) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and

(E) Contact procedures for individuals to ask questions or learn additional information, which shall include a tollfree telephone number, an e-mail address, Web site, or postal address.

Notification is required to be in writing by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available.  If the practice knows the individual is deceased and has the address of next of kin or personal representative of the individual, written notification by firstclass mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available.

In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual, substitute notice may be provided.  Where more than 10 individuals are affected, substitute notice may be in the form of either a conspicuous posting for a period of 90 days on the home page of the website of the practice, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach. See  45 CFR 164.404.

To the media - Where more than 500 residents of a State or jurisdiction are involved in a given breach of protected health information, the practice is required to notify prominent media outlets serving the State or jurisdiction within 60 calendar days after discovery of a breach.  See   45 CFR 164.406.

To the Secretary – The practice must notify the Secretary where a breach occurs involving 500 or more individuals, in the manner and form as specified on the HHS website.  For all breaches involving less than 500 individuals, the practice shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide notification to the Secretary in the manner specified on the HHS website.  See 45 CFR 164.408.

In addition to the foregoing, Business Associates are required to report the discovery of a breach to the practice within 60 calendar days.  See 45 CFR 164.410.

Failure to abide by the Breach Notification Rule opens the practice to substantial liability.  The recent modifications to HIPAA allow for the imposition of civil monetary penalties for any entity or individual in violation of any HIPAA requirement, including the Breach Notification Rule, which is why it is imperative to understand and implement the requirements of the Breach Notification Rule.  Implementation requires that the policies, procedures and contracts of the practice reflect the requirements of the Breach Notification Rule. 

To discuss your practice's compliance needs contact Jennifer Kirschenbaum, Esq. at (516) 747-6700 x. 302 or at