Natural Disasters and the HIPAA Breach Notification Rule
When a dental practice covered by HIPAA discovers a breach of unsecured protected health information,1 the practice must notify affected individuals, the federal government, and, in some cases, the media. State law may also require the dental practice to provide notification when a data breach involves certain kinds of information (such as social security numbers, credit card numbers, or driver’s license numbers), whether or not the practice is covered by HIPAA.
A natural disaster can lead to a breach requiring such notification. For example, tornadoes have damaged dental offices and scattered paper patient records. A disaster could also result in the loss of an unsecured laptop or other electronic device containing patient information. HIPAA requires notification without unreasonable delay and in no case later than 60 calendar days after discovering the breach. State law may require even faster notice. A dental practice overwhelmed by a disaster may be forced to comply with notification obligations or risk the legal consequences of noncompliance.
HIPAA compliance obligations change from time to time and depend on the specific facts and circumstances. In addition, covered dental practices must also comply with applicable state law; for example, HIPAA does not preempt state law that is more stringent than HIPAA. The following general information is intended to help dental practices and state dental societies better understand some of the compliance obligations that may come into play in the aftermath of a natural disaster. This information is not intended as, nor is it a substitute for legal advice. Dental practices and dental societies must consult a qualified attorney in the appropriate jurisdiction for legal advice.
Unsecured protected health information
The HIPAA Breach Notification Rule applies to “unsecured” protected health information. Electronic protected health information is secured if it is properly encrypted.2 Paper and other hard copy information (such as photographs and films) cannot be secured for breach notification purposes except through appropriate destruction (e.g., shredding or destroying so that the information can no longer be read or reconstructed).
Although locking up hard copy protected health information to prevent unauthorized access does not “secure” the information under the Breach Notification Rule, the Privacy Rule requires appropriate safeguards for protected health information in all formats (such as electronic, hard copy, and oral information), and such safeguards may reduce the likelihood of unauthorized access that can result in a breach.
A “breach” occurs when unsecured protected health information is acquired, accessed, used or disclosed in a manner that is not permitted by the HIPAA Privacy Rule and that compromises the security or privacy of the protected health information. There are three exceptions to the definition of a breach.3 Examples of breaches include:
- paper patient records are lost or stolen
- unsecured laptop or USB drive containing patient information is lost or stolen
- a business associate notifies a covered dental practice that the business associate has discovered a breach of unsecured patient information4
- an unauthorized person acquires or views a patient record and the incident does not fall within an exception to the definition of a breach
Prior to March 26, 2013, a covered entity was required to conduct a written risk assessment of a suspected breach of unsecured protected health information, and to provide breach notification unless the impermissible acquisition, access, use or disclosure did not pose a significant risk of financial, reputational or other harm to the individual. This is known as the “harm standard.”
Effective March 26, 2013, the HIPAA Breach Notification Rule has been revised. Under the new rule, there is a presumption that a breach has occurred following every impermissible use or disclosure of protected health information, so covered dental practices may decide to notify without evaluating the probability of the compromise. A covered dental practice must send breach notification unless it can show that there is a low probability that the information was compromised based on an assessment of the relevant factors including, at a minimum, the following four factors:
- The nature and extent of the patient information involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the patient information or to whom the disclosure was made
- Whether the patient information was actually acquired or viewed, and
- The extent to which the risk to the patient information has been mitigated
This is known as the “compromise standard.” Covered dental practices must be in compliance with the new rule no later than September 23, 2013.
Providing notice to affected individuals
HIPAA generally requires that a covered dental practice notify affected individuals of a breach of unsecured protected health information via first class mail, and that certain information be included in the notification. The notification must be in plain language and must include the following information, to the extent possible:
(A) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
(B) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(C) Any steps individuals should take to protect themselves from potential harm resulting from the breach;
(D) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
(E) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address.
Applicable state data breach law may require additional or different content in the notification, and may require additional parties to be notified (e.g., the state attorney general).
Timeframe for notification
If notification is required, HIPAA requires that notification be provided to affected individuals without unreasonable delay and in no case later than 60 calendar days after the covered dental practice discovers the breach. HIPAA generally does not preempt applicable state law that requires faster notification.
A dental practice must provide notification to the federal government within the timeframe for notifying individuals if the breach involves 500 or more individuals. The dental practice must notify the federal government annually of any breaches involving fewer than 500 individuals.5
A HIPAA breach could require use of the media in two situations:
- If the breach involves more than 500 residents of a state or jurisdiction, a covered dental practice must notify prominent media outlets serving the state or jurisdiction. Such media notice must include the same information as the notification to individuals, and is generally provided in the form of a press release.
- If a covered dental practice has insufficient or out-of-date contact information for 10 or more individuals affected by the breach, then the dental practice must provide “substitute notice” by either:
- a conspicuous posting for a period of 90 days on the home page of the dental practice’s website, or
- providing conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside (this is generally done through a purchased notice).
Substitute notice for 10 or more individuals must include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach.
Note that if a covered dental practice has insufficient or out-of-date contact information for fewer than 10 individuals, HIPAA requires the practice to provide substitute notice by an alternative form of written notice, telephone, or other means.
Opportunities for state dental associations to assist members and the public in a natural disaster
When a natural disaster strikes, a state dental association may provide help to members and the public in a number of ways, including assistance with breach notification. Keep in mind that if the state association will have access to patient information (such as names, addresses, etc.) the association will likely be considered a business associate of the covered dental practices. A compliant business associate agreement6 must be in place between the association and each covered practice, and the state association must comply with both the agreement and with applicable HIPAA provisions.7 If the state association has access to certain categories of information about individuals, such as social security numbers, the association may also be required to comply with applicable state laws, such as state laws regarding data security and breach notification.
Here are some examples of ways that a state association might help dental practices with breach notification in the event of a natural disaster:
- Provide information about HIPAA and applicable state breach notification and data security laws
- Provide the written notice to affected individuals on behalf of covered dental practices
- On behalf of covered dental practices that have insufficient or out-of-date contact information for 10 or more individuals affected by a breach, make substitute notice to the media and/or provide substitute notice on the dental association website (provided that the website of each of the covered dental practices includes a prominent link regarding the breach that takes patients to the dental association web page).
- Maintain the toll-free number on behalf of covered dental practices.
Don’t wait for a natural disaster: contingency planning and appropriate safeguards
The HIPAA Security Rule requires covered dental practices to establish, and implement as needed, a contingency plan for responding to an emergency or other occurrence such as fire, vandalism, system failure and natural disaster that damages systems that contain electronic patient information. Examples of contingency plan requirements include a data backup plan, disaster recovery plan to restore lost data, and an emergency mode operation plan.
The HIPAA Privacy Rule requires covered practices to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of all forms of protected health information. Appropriate safeguards may include policies and procedures for responding to natural disasters that may compromise the privacy of hard copy, electronic and oral patient information.
Before disaster strikes, a dental practice may be able to help protect patient information from compromise, and protect the dental practice from breach notification obligations and potential HIPAA and state data security law violations, through contingency planning and appropriate safeguards.
The HIPAA Breach Notification Decision Tree in Appendix A provides a simplified illustration of some of the decision steps that a dental practice might take to determine how to respond to a suspected breach of patient information; for example, if patient records are lost or scattered as a result of a natural disaster. Note that the decision tree does not define terms used in the Breach Notification Rule, such as “unsecured” and “breach.” Note also that the decision tree follows the compromise standard which is effective March 26, 2013 (covered entities must comply by September 23, 2013). The compromise standard replaces the harm standard in the 2009 Breach Notification Interim Final Rule.
The ADA has resources to help dentists meet HIPAA requirements and reduce their HIPAA-associated business risks. Visit the ADA Catalog online at adacatalog.org or call the ADA Member Service Center at 800.947.4746 for information about HIPAA compliance resources.
For information about the HIPAA Breach Notification Rule from the U.S. Department of Health and Human Services, see Office for Civil Rights, Breach Notification.