Natural Disasters & the HIPAA Breach Notification Rule
When a dental practice covered by HIPAA discovers a breach of unsecured protected health information,1 the practice must notify affected individuals, the federal government, and, in some cases, the media. State law may also require the dental practice to provide notification when a data breach involves certain kinds of information (such as social security numbers, credit card numbers, or driver's license numbers), whether or not the practice is covered by HIPAA.
A natural disaster can lead to a breach requiring such notification. For example, tornadoes have damaged dental offices and scattered paper patient records. A disaster could also result in the loss of an unsecured laptop or other electronic device containing patient information. HIPAA requires notification without unreasonable delay and in no case later than 60 calendar days after discovering the breach. State law may require even faster notice. A dental practice overwhelmed by a disaster may be forced to comply with notification obligations or risk the legal consequences of noncompliance.
HIPAA compliance obligations change from time to time and depend on the specific facts and circumstances. In addition, covered dental practices must also comply with applicable state law; for example, HIPAA does not preempt state law that is more stringent than HIPAA. The following general information is intended to help dental practices and state dental societies better understand some of the compliance obligations that may come into play in the aftermath of a natural disaster. This information is not intended as, nor is it a substitute for legal advice. Dental practices and dental societies must consult a qualified attorney in the appropriate jurisdiction for legal advice.
Unsecured protected health information
The HIPAA Breach Notification Rule applies to "unsecured" protected health information. Electronic protected health information is secured if it is properly encrypted.2 Paper and other hard copy information (such as photographs and films) cannot be secured for breach notification purposes except through appropriate destruction (e.g., shredding or destroying so that the information can no longer be read or reconstructed).
Although locking up hard copy protected health information to prevent unauthorized access does not "secure" the information under the Breach Notification Rule, the Privacy Rule requires appropriate safeguards for protected health information in all formats (such as electronic, hard copy, and oral information), and such safeguards may reduce the likelihood of unauthorized access that can result in a breach.
A "breach" occurs when unsecured protected health information is acquired, accessed, used or disclosed in a manner that is not permitted by the HIPAA Privacy Rule and that compromises the security or privacy of the protected health information. There are three exceptions to the definition of a breach.3 Examples of breaches include:
- paper patient records are lost or stolen
- unsecured laptop or USB drive containing patient information is lost or stolen
- a business associate notifies a covered dental practice that the business associate has discovered a breach of unsecured patient information4
- an unauthorized person acquires or views a patient record and the incident does not fall within an exception to the definition of a breach
Prior to March 26, 2013, a covered entity was required to conduct a written risk assessment of a suspected breach of unsecured protected health information, and to provide breach notification unless the impermissible acquisition, access, use or disclosure did not pose a significant risk of financial, reputational or other harm to the individual. This is known as the "harm standard."
Effective March 26, 2013, the HIPAA Breach Notification Rule has been revised. Under the new rule, there is a presumption that a breach has occurred following every impermissible use or disclosure of protected health information, so covered dental practices may decide to notify without evaluating the probability of the compromise. A covered dental practice must send breach notification unless it can show that there is a low probability that the information was compromised based on an assessment of the relevant factors including, at a minimum, the following four factors:
- The nature and extent of the patient information involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the patient information or to whom the disclosure was made
- Whether the patient information was actually acquired or viewed, and
- The extent to which the risk to the patient information has been mitigated
This is known as the "compromise standard." Covered dental practices must be in compliance with the new rule no later than September 23, 2013.
Providing notice to affected individuals
HIPAA generally requires that a covered dental practice notify affected individuals of a breach of unsecured protected health information via first class mail, and that certain information be included in the notification. The notification must be in plain language and must include the following information, to the extent possible:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
- A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
- Any steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website, or postal address.
- Applicable state data breach law may require additional or different content in the notification, and may require additional parties to be notified (e.g., the state attorney general).
Timeframe for notification
If notification is required, HIPAA requires that notification be provided to affected individuals without unreasonable delay and in no case later than 60 calendar days after the covered dental practice discovers the breach. HIPAA generally does not preempt applicable state law that requires faster notification.
A dental practice must provide notification to the federal government within the timeframe for notifying individuals if the breach involves 500 or more individuals. The dental practice must notify the federal government annually of any breaches involving fewer than 500 individuals.5
A HIPAA breach could require use of the media in two situations:
- If the breach involves more than 500 residents of a state or jurisdiction, a covered dental practice must notify prominent media outlets serving the state or jurisdiction. Such media notice must include the same information as the notification to individuals, and is generally provided in the form of a press release.
If a covered dental practice has insufficient or out-of-date contact information for 10 or more individuals affected by the breach, then the dental practice must provide "substitute notice" by either:
- a conspicuous posting for a period of 90 days on the home page of the dental practice's website, or
- providing conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside (this is generally done through a purchased notice).
Substitute notice for 10 or more individuals must include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach.
Note that if a covered dental practice has insufficient or out-of-date contact information for fewer than 10 individuals, HIPAA requires the practice to provide substitute notice by an alternative form of written notice, telephone, or other means.
Opportunities for state dental associations to assist members and the public in a natural disaster
When a natural disaster strikes, a state dental association may provide help to members and the public in a number of ways, including assistance with breach notification. Keep in mind that if the state association will have access to patient information (such as names, addresses, etc.) the association will likely be considered a business associate of the covered dental practices. A compliant business associate agreement6 must be in place between the association and each covered practice, and the state association must comply with both the agreement and with applicable HIPAA provisions.7 If the state association has access to certain categories of information about individuals, such as social security numbers, the association may also be required to comply with applicable state laws, such as state laws regarding data security and breach notification.
Here are some examples of ways that a state association might help dental practices with breach notification in the event of a natural disaster:
- Provide information about HIPAA and applicable state breach notification and data security laws
- Provide the written notice to affected individuals on behalf of covered dental practices
- On behalf of covered dental practices that have insufficient or out-of-date contact information for 10 or more individuals affected by a breach, make substitute notice to the media and/or provide substitute notice on the dental association website (provided that the website of each of the covered dental practices includes a prominent link regarding the breach that takes patients to the dental association webpage).
- Maintain the toll-free number on behalf of covered dental practices.
Don't wait for a natural disaster: contingency planning and appropriate safeguards
The HIPAA Security Rule requires covered dental practices to establish, and implement as needed, a contingency plan for responding to an emergency or other occurrence such as fire, vandalism, system failure and natural disaster that damages systems that contain electronic patient information. Examples of contingency plan requirements include a data backup plan, disaster recovery plan to restore lost data, and an emergency mode operation plan.
The HIPAA Privacy Rule requires covered practices to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of all forms of protected health information. Appropriate safeguards may include policies and procedures for responding to natural disasters that may compromise the privacy of hard copy, electronic and oral patient information.
Before disaster strikes, a dental practice may be able to help protect patient information from compromise, and protect the dental practice from breach notification obligations and potential HIPAA and state data security law violations, through contingency planning and appropriate safeguards.
The HIPAA Breach Notification Decision Tree in Appendix A provides a simplified illustration of some of the decision steps that a dental practice might take to determine how to respond to a suspected breach of patient information; for example, if patient records are lost or scattered as a result of a natural disaster. Note that the decision tree does not define terms used in the Breach Notification Rule, such as "unsecured" and "breach." Note also that the decision tree follows the compromise standard which is effective March 26, 2013 (covered entities must comply by September 23, 2013). The compromise standard replaces the harm standard in the 2009 Breach Notification Interim Final Rule.
The ADA has resources to help dentists meet HIPAA requirements and reduce their HIPAA-associated business risks. Visit the ADA Catalog or call the ADA Member Service Center at 800.947.4746 for information about HIPAA compliance resources.
For information about the HIPAA Breach Notification Rule from the U.S. Department of Health and Human Services, see Office for Civil Rights, Breach Notification.
1"Protected health information" generally includes the patient dental records and billing records in a covered dental practice, but it may also include any information about health condition, treatment, or payment for health care that was created or received by the dental practice that identifies a patient or that could be used to identify a patient.
2For more information about securing protected health information, visit Office for Civil Rights, Breach Notification Rule at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html, and click on "Unsecured Protected Health Information and Guidance."
3See Electronic Code of Federal Regulations.
4The HIPAA definition of a "business associate" generally includes outside persons or entities that provide to a covered dental practice services involving patient information. The Breach Notification Rule requires a business associate that discovers a breach of unsecured protected health information to notify the dental practice, The dental practice must provide the required notices to affected individuals, the federal government, and, if applicable, the media, unless the business associate agreement makes the business associate responsible doing so.
5Notification must be provided to the Office for Civil Rights, the agency of the U.S. Department of Health and Human Services that is responsible for enforcing HIPAA. See instructions on notifying the Office for Civil Rights.
6A sample business associate agreement is available on the website of the Office for Civil Rights.
7The 2013 Omnibus Final Rule requires business associates to comply with many parts of HIPAA (including most of the Security Rule), and the government can directly impose penalties on business associates and subcontractors.
The foregoing was prepared by the ADA Division of Legal Affairs. Its purpose is to promote awareness of legal issues that may affect dentists and dental practices. This document is not intended to provide either legal or professional advice, and cannot address every federal, state, and local law that could affect a dentist or dental practice. Because the law varies from jurisdiction to jurisdiction, and sometimes changes more rapidly than these materials, we make no representations or warranties of any kind about the completeness, accuracy, or any other quality of the information in the above piece. Nothing here represents advice or opinion as to any particular situation you may be facing; for that, it is necessary to consult directly with a properly qualified professional or with an attorney admitted to practice in your jurisdiction for appropriate legal or professional advice. To the extent the above includes links to any websites, the ADA intends no endorsement of their content and implies no affiliation with the organizations that provide their content. Nor does the ADA make any representations or warranties about the information provided on those sites, which we do not control in any way.
© 2013 American Dental Association. All Rights Reserved.Reproduction of this material by member dentists and their staff for use in the dental office is permitted. Any other use, duplication or distribution by any other party requires the prior written approval of the American Dental Association.
Rev. June 7, 2013