HIPAA Breach Notification Rule

In a nutshell, what does the HIPAA Breach Notification Rule require?

Here is a very simplified summary. See below for more details, and for information about terms like "protected health information," "breach" and "unsecured."

To comply with the Breach Notification Rule, a covered dental practice must:

• Develop and implement written breach notification policies and procedures.
• Provide timely notification of any breach of unsecured protected health information to affected individuals, the Office for Civil Rights, and in some cases the media.
• Retain documentation for the time period required by HIPAA.

What happens if a covered dental practice's business associate discovers a breach of unsecured PHI?

A HIPAA "business associate" is generally defined as an entity (or an individual who is not a member of the dental practice's workforce) that performs a service involving PHI for the dental practice.

A business associate that discovers a breach of the dental practice's unsecured PHI must notify the dental practice of the breach without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Unless the business associate agreement assigns breach notification responsibility to the business associate, the dental practice must provide any required notification to individuals, OCR, and, if required, to the media. The covered entity must provide the notification without unreasonable delay and in no case later than 60 calendar days after "discovery" of the breach, which often occurs when the dental practice receives notice of the breach from the business associate. However, if the business associate is deemed an "agent" of the dental practice under the federal common law of agency, then the dental practice would be deemed to have discovered the breach on the date that the breach was discovered by the agent, and notification must be provided no later than 60 calendar days after the date that the agent discovered the breach (rather than the date that the agent reported the breach to the dental practice).

The business associate must give the dental practice, to the extent possible, the identity of each individual whose unsecured PHI has been breached, and any other available information that the dental practice is required to include in the notification. The business associate may give the dental practice immediate notice of the breach and follow up with the other required information as it becomes available, as long as the business associate acts without unreasonable delay and within 60 days. If a business associate obtains any of the required information after notifications have been sent (or after the 60-day period), it should still provide the information to the dental practice.

If a business associate provides a dental practice with notice of a breach involving several covered entities, the dental practice must provide notice if any of the dental practice's PHI was involved in the breach. However, while the covered dental practice is ultimately responsible for assuring that appropriate notice is dispatched, in cases where the covered entities involved are not able to determine which entity's PHI was involved in the breach, the covered entities may have the business associate provide the notification to the media on behalf of all of the covered entities.

What is a "breach"?

The HIPAA definition of a "breach" has several layers.

In general, a suspected breach occurs when PHI is accessed, acquired, used or disclosed in a way that the HIPAA Privacy Rule does not permit, which compromises the security or privacy of the PHI.

There are three exclusions from the definition of a breach, which are listed in Appendix B.

According to the OCR website:

The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. The second exception applies to the inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

The "compromise standard." Although the definition of breach includes the words "which compromises the security or privacy" of the PHI, there is a presumption that a breach has occurred following every impermissible use or disclosure of PHI.

A covered dental practice has the discretion to provide the required breach notifications following an impermissible use or disclosure of PHI without performing a risk assessment to determine the probability that the privacy or security of the PHI was compromised.

A dental practice must send breach notification unless it can demonstrate that there is a low probability that the patient information was compromised based on an assessment of the relevant factors including, at a minimum, the following four factors:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
2. The unauthorized person who used the PHI or to whom the disclosure was made
3. Whether the PHI was actually acquired or viewed, and
4. The extent to which the risk to the PHI has been mitigated.

The assessment should be documented so that the dental practice can meet its burden of demonstrating that all notifications were made as required by the Breach Notification Rule, or that the use or disclosure did not constitute a breach.

Note about the 2013 Omnibus Final Rule. Effective March 26, 2013, the "compromise standard" discussed above has replaced the "harm standard." Under the prior rule, notification was not required unless the impermissible use or disclosure posed a significant risk of financial, reputational or other harm to the individual. This was referred to as the "harm standard." Covered dental practice must be in compliance with the new "compromise standard" no later than September 23, 2013.

What is "protected health information"?

In general, protected health information (PHI) is information that (a) identifies, or can be used to identify, an individual, and (b) relates to an individual's past, present, or future physical or mental health or condition, the provision of health care to an individual, or payment for health care.

PHI includes demographic information collected from an individual, such as name or address. PHI can be in any form, including electronic data, hard copy, or oral information. Examples of PHI include dental records, health histories, billing statements, explanations of benefits (EOBs), radiographs, and full-face photographs and comparable images that identify or that could be used to identify the patient.

The definition of PHI contains several exceptions. For example, PHI does not include employment records held by a covered dental practice in its role as an employer, or certain education records covered by the Family Educational Rights and Privacy Act.

Information is not PHI if it has been properly "de-identified." To de-identify PHI, one must remove all 18 HIPAA "identifiers" for the individual and his or her relatives, employers, or household members (see Appendix C for a simplified list of the 18 identifiers). In addition, the covered dental practice must have no actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. HIPAA also has rules permitting an expert, such as a qualified statistician, to determine if PHI has been de-identified.

State law may require notification even if the information breached was not PHI.

What is the Office for Civil Rights?

The Office for Civil Rights (OCR) is an agency of the U.S. Department of Health and Human Services. OCR is responsible for federal enforcement of HIPAA Privacy, Security and Breach Notification. The OCR website provides information about HIPAA compliance.

What should go in a covered dental practice's HIPAA Breach Notification Rule policies and procedures?

If your practice is a covered entity and it has not developed policies and procedures for handling suspected breaches, it should do so without delay. Breach notification policies and procedures will vary from practice to practice because each practice is different, faces different risks and vulnerabilities, and may need to be tailored to comply with applicable state laws.

Examples of such policies and procedures include:

• Assigning responsibility for breach notification compliance
• Defining procedures for discovering suspected breaches
• Defining procedures for reporting suspected breaches (e.g., to the Privacy Official)
• Procedures for investigating suspected breaches
• Timeframe for sending any required notifications

Workforce members must be trained to comply with the dental practice's breach notification policies and procedures, and the dental practice is required to impose sanctions for any failure to comply.

Covered dental practices must create and retain documentation demonstrating compliance with the Breach Notification Rule. Examples include written policies and procedures, training records, records of any sanctions, copies of any notification letters and press releases, and, for any notification not sent, an appropriate written risk assessment demonstrating a low probability that the PHI was compromised. Documentation must be retained for at least six years from the date of its creation, or the date when it last was in effect, whichever is later. The dental practice must provide the documentation to the government in the event of a HIPAA investigation, compliance review, or audit.

See Section 4 for sample breach notification policies and procedures.

When is PHI "unsecured"?

Notification is not required if PHI is "secured." The rules for securing PHI are listed in the Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals from the Office for Civil Rights (OCR). The OCR Guidance is in Appendix A.

To summarize some of the information in the OCR Guidance:

Electronic data can be secured through appropriately encrypting the device (such as a laptop) or the file (such as a .pdf file attached to an email), as long as the encryption process or key has not been breached. A dental practice may need to work with a technical expert who is familiar with the OCR Guidance to develop procedures for encrypting PHI in the dental office. An electronic device can also be secured by appropriately clearing, purging, or destroying the device itself.

Paper, film, or other hard copy media is secured only if it has been shredded or destroyed such that the PHI cannot be read or reconstructed. In other words, hard copy PHI, such as paper dental records, is not considered "secured" for purposes of the Breach Notification Rule if it is intact and readable. In other words, protecting hard copy PHI (for example, by storing it under lock and key) can certainly help prevent a breach, but the hard copy PHI is still "unsecured" and notification is required if there is a breach. When it is appropriate to dispose of hard copy PHI, disposal should be by shredding or destroying the hard copies so that it is impossible to read or reconstruct it.

Oral PHI cannot be "secured" for breach notification purposes.

Redacted PHI is not considered "secured". For example, if a dental practice uses a marker to cover up all of the identifiers (see Appendix C) on hard-copy document, the document is not considered secured under the Breach Notification Rule. If a breach occurs, notification is required unless the covered dental practice can properly demonstrate a low probability of compromise (see above).

State law may require notification even if the information was secured.

Which dental practices must comply with the HIPAA Breach Notification Rule?

A dental practice is "covered" by HIPAA if the practice transmits any health information electronically in connection with a HIPAA "covered transaction." An example of a covered transaction is submitting a claim to a dental plan. A dental practice is also covered if someone else submits health information electronically on behalf of the practice (for example, a billing firm or clearinghouse).

A covered dental practice must comply with the HIPAA Privacy, Security and Breach Notification Rules. This resource only discusses compliance with the Breach Notification Rule. For more information about the other HIPAA rules, see The ADA Practical Guide to HIPAA Compliance Privacy and Security Kit, available through the ADA Store.

For more information about whether a practice is a covered entity, see Are You a Covered Entity? (PDF) from the Center for Medicare & Medicaid Services.

HIPAA is a federal law, but many states have also enacted breach notification laws that may apply to breaches of certain information in a dental practice. All dental practices must understand and comply with applicable state breach notification laws. If an applicable state law is contrary to HIPAA and more stringent than HIPAA, a covered dental practice must comply with the state law. For example, a state breach notification law may require faster notification than HIPAA requires.

What is the HIPAA deadline for sending notification of a breach of unsecured PHI?

The HIPAA notification timeframe is short, and applicable state law may require even faster notification, so it is important to train staff to report suspected breaches immediately, and to promptly investigate all such reports to determine whether a breach of unsecured PHI has occurred.

Individuals. HIPAA requires the covered practice to notify affected individuals without unreasonable delay, and in no case later than 60 calendar days after "discovery" of the breach.

• If state breach notification law applies to a breach of PHI, and state law requires faster notification than HIPAA, the state law would probably apply because the state law would likely be considered "more stringent" than HIPAA.

OCR. If the breach involves 500 or more individuals, a covered dental practice must notify OCR without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach. For breaches that affect fewer than 500 individuals, the dental practice must provide the Secretary with notice annually. Information and forms for notifying OCR of breaches are on the OCR web page Instructions for Submitting Notice of a Breach to the Secretary.

The Media. If media notification is required, the notification must be provided without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach.

When is a breach considered "discovered"?

A breach is generally treated as "discovered" as of the first day the covered dental practice knows of the breach, or would have known of the breach if the dental practice had exercised reasonable diligence.

A covered dental practice is deemed to have knowledge of a breach when any person who is a workforce member or agent of the dental practice has knowledge of the breach. There is a limited exception that may apply if the only person who knows about a breach is the person who committed the breach.

It is important for a covered dental practice to implement reasonable systems for discovering breaches, because the dental practice can be liable for failing to provide notice of a breach that a workforce member or agent knew about but did not report, or that the dental practice would have known about if it had exercised reasonable diligence.

Who is required to provide notification of a breach of unsecured PHI?

The covered dental practice is responsible for providing notification of a breach of unsecured PHI, even if the breach was discovered or caused by an employee, independent contractor, or business associate. In some cases, the business associate agreement may assign breach notification obligations to the business associate. If a third party, such as a vendor, performs any breach notification activities on behalf of the dental practice, the third party is likely a business associate of the dental practice, so a compliant business associate agreement must be in place between the dental practice and the third party.

What information must the notification contain?

The notice must contain:

1. A brief description of what happened, the date of the breach, and the date of discovery, if known.
2. A description of the type of unsecured PHI involved. The description should include only a description of the type of information involved. It should not include the PHI itself, particularly if the PHI is sensitive (e.g., Social Security number).
3. Any steps individuals should take to protect themselves from potential harm resulting from the breach.
4. A brief description of what the covered entity is doing to investigate, mitigate harm, and protect against further breaches.
5. Contact procedures for individuals to ask questions or learn additional information. Contact procedures must include a toll-free telephone number, email address, website, or postal address.

The notice should be written clearly, at an appropriate reading level, and should not include extraneous material that may diminish the message.

Covered entities must take reasonable steps to ensure meaningful communication to Limited English Proficient persons (notices may need to be translated). Effective communication with individuals who have disabilities may require accommodations such as providing notice in Braille, large print, or audio.

Covered dental practices must comply with applicable state law that is contrary to, but more stringent than, HIPAA. For example, if an applicable state breach notification law required additional information in the notification to individuals, a covered dental practice would likely have to provide the additional information in its notification letter.

Who must receive notification?

1. Affected individuals
2. The U.S. Department of Health and Human Services
3. If the breach involves 500 or more residents of a particular state or jurisdiction, notification must be reported to prominent media outlets serving the affected state or jurisdiction (a "jurisdiction" refers to a geographic area smaller than a state—for example, a county or city).

For example, if a breach affects 200 people in Illinois, 200 people in Indiana, and 200 people in Iowa, the Covered Entity would not need to notify media outlets because the breach did not affect more than 500 persons in any one state. If the breach affected 600 people in Illinois and 600 people in Indiana, the Covered Entity would have to notify prominent media outlets in both states.

When notice to the media is required, it is in addition to and does not replace notice to the affected individuals.

How must notification be provided?

A breach of unsecured PHI requires notification to individuals, the Office for Civil Rights, and in some cases the media:

A. Providing notice to individuals

A dental practice must provide written notice to the affected individuals at their last known address by first class mail (or by email, if the individual has agreed to receive notice by email).

Urgent notice. In cases that the dental practice deems urgent (based on the possibility of imminent misuse of the PHI), the practice may give notice by telephone or other method. If a dental practice gives telephone or other notice in an urgent case, the practice must still provide written notice.

Deceased. If an affected individual is deceased, the dental practice should send notice to their next of kin or personal representative, if the individual had given the practice that contact information.

Minors and individuals lacking legal capacity. If the affected individual is a minor or otherwise lacks legal capacity due to a physical or mental condition, the dental practice should send notice to the individual's personal representative (such as a minor's parent or guardian).

Insufficient contact information. If a dental practice has insufficient or out-of-date contact information for any of the affected individuals, the practice may attempt to obtain correct or updated information and send the appropriate written notice to those individuals. If the dental practice is unable to obtain contact information, the practice must provide "substitute notice." Substitute notice should be provided as soon as reasonably possible after the dental practice is aware that it has insufficient or out-of-date contact information for one or more individuals. The means of providing substitute notice depends on whether the dental practice lacks contact information for fewer than 10 individuals, or for ten or more individuals.

Substitute notice to fewer than 10 individuals. If a dental practice lacks sufficient or up-to-date contact information for fewer than 10 individuals, the dental practice must provide substitute notice that is reasonably calculated to reach the affected individuals. The dental practice may provide the notice via telephone or email (even if the individual has not agreed to receive notice via email), or the dental practice may post notice in its website or another location, so long as it is reasonably calculated to reach the affected individual.

Substitute notice to 10 or more individuals. A dental practice that has insufficient or out-of-date contact information for 10 or more individuals must post notice in one of two ways:

Option 1: Dental practice website. The dental practice may provide substitute notice to 10 or more individuals by posting a conspicuous notice for a period of at least 90 days on the homepage of the dental practice website. The dental practice may use a hyperlink to the notice on the homepage, as long as the hyperlink is prominent—the hyperlink should be noticeable given its size, color, and graphic treatment in relation to other parts of the page. The wording of the hyperlink should convey the nature and importance of the information. The hyperlink must link to a notice containing the required information. The notice must include a toll-free telephone number that will remain active for at least 90 days for individuals to call and inquire.

Option 2: Major print or broadcast media. The dental practice may provide substitute notice to 10 or more individuals by means of a conspicuous posting in a major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. The practice must choose the major print or broadcast media in the geographic area(s) where the affected individuals are likely to reside that is most reasonably calculated to reach them. In a rural area, it may be the local newspaper. In an urban area, the newspaper serving the entire metropolitan area (or the entire state) may be more likely to reach the affected individuals. If the individuals live in different regions or state, it may be necessary to notify multiple media outlets. The notice should be conspicuous and noticeable (similar to the website notice discussed above) so as to be reasonably calculated to reach the affected individuals. The notice must include a toll-free telephone number that will remain active for at least 90 days for individuals to call and inquire

B. Providing notice to OCR

A dental practice must keep a log of all breaches and report the breaches annually to OCR. Breach logs must be retained for a period of six years, and must be available to OCR upon request.

If a breach affects 500 or more individuals, the covered entity must notify OCR without unreasonable delay and in no case later than 60 days from the discovery of the breach.

C. Providing notice to the media

A dental practice must report breaches affecting more than 500 residents of a particular state or jurisdiction to prominent media outlets serving the affected state or jurisdiction (a "jurisdiction" is a geographic area smaller than a state, such as a county, city, or town). OCR expects that dental practices will use press releases to make such reports. The press release must be sent to a media outlet that is reasonably calculated to reach the affected individuals. The notice to the media must include a toll-free number.

Is it possible that the toll-free number in my substitute notice will result in too many calls?

Substitute notice must include a toll-free phone number that remains active for at least 90 days, and where an individual can learn whether his or her unsecured PHI may be included in the breach. If you are concerned about receiving calls from unaffected individuals, include information in the notice itself to help readers determine whether their information may have been included in the breach.

Let's say a dental practice discovers a breach of unsecured PHI involving more than 500 individuals in a single state or jurisdiction (so it needs to provide media notification), and the dental practice has insufficient contact information for more than 10 of the individuals (so it needs to provide substitute notice). If the dental practice elects not to provide substitute notice through its website, must the dental practice provide BOTH media notice AND substitute notice through the media?

The Breach Notification Rule appears to require that a dental practice in this situation must provide both a conspicuous posting for purposes of substitute notice and media notice in the form of a press release.

Is Puerto Rico considered a "state or jurisdiction" for purposes of providing media notice?

Yes. For purposes of the Breach Notification Rule, "State" includes the 50 U.S. states, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa and the Commonwealth of the Northern Mariana Islands.

How must a dental practice proceed if a law enforcement official instructs the dental practice to delay notification because sending notices would impede a criminal investigation?

HIPAA breach notification must be delayed if a law enforcement official determines that notification, notice, or posting would impede a criminal investigation or cause damage to national security.

If the law enforcement official provides the dental practice a statement in writing that specifies how long a delay is required, the dental practice must delay notification for that period of time.

If the law enforcement official provides oral instructions to the dental practice, the dental practice must document the statement and identity of the official and delay notification for no longer than 30 days, unless a written statement specifying the length of the delay required is received during the 30-day period.

When did the Breach Notification Rule go into effect?

The HIPAA Breach Notification Rule went into effect on September 23, 2009, and sanctions may be imposed for breaches that are discovered on or after February 22, 2010. The 2013 Omnibus Final Rule changed the requirements for complying with the Breach Notification Rule effective March 26, 2013, and covered dental practices must be in compliance with the new rules by September 23, 2013.

What are the penalties for failure to comply with the Breach Notification Rule?

Sanctions for failure to comply with HIPAA include penalties that can reach thousands, or even millions, of dollars.

Where can I find the text of the Breach Notification Rule?

The OCR website has the Combined Regulation Text of All Rules. The PDF of the combined text includes the Security, Privacy and Breach Notification Rules.

The Breach Notification Rule begins on page 71 of the PDF and includes § 164.400 through § 164.414.

The American Dental Association has developed the "HIPPA Breach Notification Flow Chart" to help dentists understand the HIPAA Breach Notification Rule. The flow chart is simplified and should only be used to gain a general understanding of the Rule. The glossary that follows defines the terms in green font The flow chart and glossary should be read together.

Glossary of Terms

This Glossary provides information about the terms highlighted in green on the Breach Notification Flow Chart to help dentists understand the HIPAA Breach Notification Rule. The Glossary and above Flow Chart should be read together.

Breach: A breach generally occurs when PHI has been used, disclosed, accessed or acquired in a way that the HIPAA Privacy Rule does not permit. There are three exclusions from the HIPAA definition of a breach. Notification is not required if the covered dental practice performs a written risk assessment using all relevant factors, including four required factors, and the risk assessment demonstrates that there is a low probability that the PHI has been compromised. For more information about the HIPAA definition of a breach, including the three exclusions and the four required risk assessment factors, see Appendix B below.

Covered Entity: A dental practice is a HIPAA covered entity if it transmits any HIPAA covered transactions electronically. For example, a dental practice that submits electronic claims for payment is a HIPAA covered entity. A dental practice is also a HIPAA covered entity if covered electronic transactions are transmitted on its behalf by another person or entity.

Discover: A breach of protected health information (PHI) is treated as "discovered" by a covered entity as of the first day the breach is known (or through reasonable diligence would have been known) to the covered entity. If a workforce member or agent of the covered entity knows of the breach (or would have known by exercising reasonable diligence), then the covered entity is deemed to have knowledge of the breach. Covered dental practices should implement systems for discovering breaches because if they would have discovered a breach through reasonable diligence they can be liable for failing to provide notice. There is a limited exception when the only workforce member who knows of a breach is the person who committed the breach.

Documentation Requirements: A covered dental practice must be able to demonstrate that it has complied with the Breach Notification Rule—for example, that the practice has provided any required breach notification, notices, and postings. If a covered dental practice does not provide breach notification because the dental practice has appropriately determined that there is a low probability of compromise, the dental practice must document the risk assessment of all relevant factors, including the four required factors demonstrating a low risk that the PHI was compromised. Documentation must be retained for six years from the date of its creation or the date when it last was in effect, whichever is later.

Notice or Notification: A breach of unsecured PHI requires a covered dental practice to provide notice as follows:

1. Notice to individuals

The dental practice must provide written notice to affected individuals at their last known address by first class mail (or by email if specified by the individual).

The notice must be sent without unreasonable delay (and in no case later than 60 days after discovery of the breach).

The notice must contain:

1. A brief description of what happened, the date of the breach, and the date of discovery, if known,
2. A description of the types of unsecured PHI involved (describe, but do not include, the PHI that was breached, and avoid using sensitive information in the notification itself),
3. Any steps individuals should take to protect themselves from potential harm resulting from the breach,
4. A brief description of what the dental practice is doing to investigate, mitigate harm, and protect against further breaches, and
5. Contact procedures for individuals to ask questions or learn additional information (a toll-free telephone number, email address, website, or postal address).

In an urgent situation, where there is the possibility of imminent misuse of unsecured PHI, the dental practice may notify affected individuals by telephone or other method. The covered entity must still provide written notice by mail.

Substitute notice

If the dental practice has insufficient or out-of-date contact information for any affected individuals, the dental practice may attempt to obtain correct or updated information. If the practice acquires the contact information, it can send a written notice.

If the dental practice lacks contact information for fewer than 10 individuals, the dental practice must provide substitute notice that is reasonable calculated to reach the affected individuals via email or telephone, or by posting a notice on the dental practice's website or another location.

If the dental practice lacks contact information for 10 or more individuals, the dental practice is required to post a notice that includes a toll-free telephone number (active for 90 days) that individuals can call to inquire. The notice can be posted by either:

1. by posting a conspicuous notice for a period of 90 days on the home page of the dental practice's website, or
2. through a conspicuous posting in a major print or broadcast media in geographic areas where the individuals affected by the breach reside.

This sample action list is an example of a tool that a covered dental practice may use to help comply with the HIPAA Breach Notification Rule. This resource has not been approved by the Office for Civil Rights (OCR). It should not be treated or considered as legal advice or as applicable to any particular dental practice. Rather, dental practices wishing to use this tool should adapt this model action list in light of their own experience, applicable law, and the advice that the practice receives from qualified counsel.

Our dental practice will take the following steps to promote compliance with the HIPAA Breach Notification Rule:

1. Confirm that our practice is a HIPAA covered entity

2. Learn the requirements of the HIPAA Breach Notification Rule and any applicable state law

3. Develop a breach log for annual reporting to HHS

4. Develop breach notification policies and procedures

a. Identify all PHI in our practice (electronic, paper, oral, or in any other form)

b. Determine how we maintain and transmit PHI and whether the PHI is “secured” under the Breach Notification Rule

c. Develop procedures for reasonable diligence to discover breaches

d. Train workforce to report all suspected breaches immediately (and document all training)

e. Assign responsibility for responding to suspected breaches

f. Develop procedures for responding to suspected breaches

g. Develop risk assessment and documentation procedures

h. Research vendors whose assistance may be required and develop relationships as appropriate

i. Train workforce to comply with the Breach Notification Rule and our policies and procedures (document all training)

j. Establish sanctions for violations of the Rule and our policies and procedures (and document all sanctions)

k. Review our existing business associate agreements (“BAAs”) and our standard BAA forms to make sure these documents comply with the Rule and protect our practice in the event a business associate discovers a breach. The BAA must provide that the business associate will report to the dental practice any use or disclosure of the PHI not provided for by the BAA of which the business associate becomes aware, including breaches of unsecured PHI as required by the Breach Notification Rule. The BAA may also provide:

1) Timeframe requirements for a business associate to notify our practice of a breach

2) Specific obligations for each party

3) Provisions to avoid confusing duplicate notices to individuals

4) Requirements for securing PHI

5) Indemnification provisions that would apply if the business associate causes a breach, or violates the Breach Notification Rule or the BAA

6) Insurance requirements (e.g., requiring the business associate to obtain cyber liability insurance and name the dental practice as an additional insured)

l. Review how our practice collects and maintains patient contact information, to minimize the likelihood that our practice would be required to provide substitute notice.

1) Do we ask patients to update their contact information regularly?

2) Do we have up-to-date contact information for parents, guardians, and other legal representatives?

m. Determine whether our practice should ask patients whether notices may be sent via e-mail, to minimize the number of notifications that would need to be sent via first-class mail in the event of a breach.

n. Consult with our practice management software vendor, hardware supplier, network support team, or other knowledgeable information technology professional to ascertain whether an acceptable security methodology is in place, and how to secure electronic PHI via appropriate encryption.

o. Determine whether our practice website could be used to post substitute notice in the event of a breach affecting individuals for whom we lack contact information.

5. Consult a qualified attorney to review our compliance policies and procedures, and to discuss any questions that arise concerning HIPAA, breach notification, and any applicable state privacy and data security laws.

These sample policies and procedures are an example of a tool that a covered dental practice may use to help comply with the HIPAA Breach Notification Rule. This resource has not been approved by the Office for Civil Rights (OCR). It should not be treated or considered as legal advice or as applicable to any particular dental practice. Rather, dental practices wishing to use this tool should adapt this resource in light of their own experience, applicable law, and the advice that the practice receives from qualified counsel.

Breach Notification policy and procedures

Our dental practice adopts the following Breach Notification policy and procedures as of [date] in order to detect breaches of unsecured PHI, investigate suspected breaches, and provide any required notification. These policies and procedures must be observed by all members of our "workforce," which includes the professional, administrative, and clerical staff, all employees, temps, and volunteers, and by all agents, independent contractors, and vendors of this practice who have access to PHI.

I. Immediately report suspected breaches

Exercise reasonable diligence to discover breaches of PHI, and if you become aware of an incident that may be a breach, immediately notify the Office Manager of the incident and the date it was discovered. Sanctions, up to and including termination, will apply to workforce members who have knowledge of a possible breach and fail to immediately notify the Office Manager.

II. Investigation

The Office Manager will promptly investigate all suspected breaches to determine whether notification is required. Investigation may require participation of a qualified attorney and/or vendor(s) such as technology vendors and forensic analysis experts.

III. Presumption of breach and risk assessment

There is a presumption that a breach has occurred following every impermissible use or disclosure of patient information, so our dental practice may decide to notify without evaluating the probability that the patient information was compromised.

Notification is not required if our dental practice can demonstrate that there is a low probability that the patient information was compromised based on a written assessment of the relevant factors including, at a minimum, the following four factors:

1. The nature and extent of the patient information involved, including the types of identifiers and the likelihood of re-identification
2. The unauthorized person who used the patient information or to whom the disclosure was made
3. Whether the patient information was actually acquired or viewed, and
4. The extent to which the risk to the patient information has been mitigated

The Office Manager will provide appropriate breach notification, notices and reports when required. If an appropriate risk assessment demonstrates a low probability that the patient information was compromised, the Office Manager will appropriately document such risk assessment.

IV. Mitigation

If the Office Manager determines that a breach of unsecured PHI has occurred, the Office Manager will direct the practice to take any appropriate steps to mitigate the breach and any harm that is likely to result from the breach, and to take any appropriate steps to prevent similar breaches from occurring in the future.

V. Breach log

The Office Manager will keep a log of all breaches and report annually to OCR in the manner specified on OCR website.

VI. Notification

If a breach of unsecured protected health information has occurred that requires our dental practice to provide notification, the Office Manager will do the following:

A. Names and information. The Office Manager will collect the names and contact information for individuals affected by the breach (or their personal representatives, as appropriate) and the information required for the notification.

B. Urgent situation. In an urgent situation involving the possibility of imminent misuse of unsecured PHI, the Office Manager may notify affected individuals by telephone in addition to providing written notice.

C. Timing of notice. The Office Manager will send notice to the affected individuals without unreasonable delay, and in no case later than 60 days after the discovery of the breach.

D. Contents of notice. The notice will include a brief description of what happened, including the date of the breach and the date of discovery, if known, a general description of the types of unsecured PHI was involved, any steps individuals should take to protect themselves from potential harm resulting from the breach, a brief description of what the practice is doing to investigate, mitigate harm, and protect against future breaches, and contact procedures for individuals to ask questions or learn additional information (including telephone number, email address, website, postal address, or toll-free telephone number, as appropriate).

Important: The notification must not include any PHI or any other sensitive information.

E. Means of sending notice. The Office Manager will provide written notice to each affected individual. Notices will be sent by email to all individuals who have so specified. All other individuals will be notified by first-class mail to their last known address.

F. Unreachable individuals. If the practice lacks contact information for any affected individual, the Office Manager will attempt to obtain current contact information so that appropriate notices may be sent.

If the Office Manager is unable to obtain current contact information for fewer than 10 individuals, the Office Manager may provide substitute notice that is reasonably calculated to reach them via telephone, email, or by posting a notice on the practice website or in another location.

If the Office Manager is unable to obtain current contact information for 10 or more individuals, the Office Manager will post a conspicuous notice for at least 90 days on the home page of our dental practice website that includes a toll-free telephone number for individuals to call to inquire. The toll-free number will remain active for at least 90 days. In the alternative, the Office Manager may provide substitute notice to 10 or more individuals by means of a conspicuous posting in a major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. The media notice must include a toll-free telephone number that will remain active for at least 90 days for individuals to call and inquire

G. More than 500 individuals. If the unsecured PHI of 500 or more individuals is breached, the Office Manager will notify OCR without unreasonable delay (and in no case later than 60 days after discovery of the breach) in the manner specified on the OCR website.

H. More than 500 individuals in a state or jurisdiction. If a breach of unsecured PHI affects more than 500 individuals in a single state or jurisdiction, the Office Manager will send a press release to prominent media outlets serving the affected state or jurisdiction, in addition to providing notification to the affected individuals and OCR. The press release will be sent without unreasonable delay and in no case later than 60 days after discovery of the breach, and will contain a toll-free number for individuals to call and inquire.

I. Law enforcement delay. If a law enforcement official determines that breach notification, notice, or posting would impede a criminal investigation or cause damage to national security, the Office Manager will refrain from providing the notification, notice or posting for the appropriate period of time. If the law enforcement official provides the dental practice a statement in writing that specifies how long a delay is required, the Office Manager will delay notification for that period of time. If the law enforcement official provides oral instructions, the Office Manager will document the statement and identity of the official and delay notification for no longer than 30 days, unless during the 30-day period our dental practices receives a written statement specifying the length of the delay required.

J. State breach notification law. When a suspected breach is reported, the Office Manager will determine whether state breach notification law applies. If so, the Office Manager will ensure that our dental practice complies with both HIPAA and applicable state law.

VII. Plan administration and updates

All of our dental practice workforce members will receive a copy of these policies and procedures and will receive training. The Office Manager will ask each workforce member to sign an acknowledgement of receipt and understanding when they receive a copy of these policies and procedures, and to sign a training sign-in sheet when they receive training. The Office Manager will evaluate our HIPAA compliance program annually and update it in light of experience and any changes in the HIPAA regulations. Any questions about this policy and procedures should be directed to the Office Manager.

This sample form is an example of a tool that a covered dental practice may use to help comply with the HIPAA Breach Notification Rule. This resource has not been approved by the Office for Civil Rights (“OCR”). It should not be treated or considered as legal advice or as applicable to any particular dental practice. Rather, dental practices wishing to use this tool should adapt this resource in light of their own experience, applicable law, and the advice that the practice receives from qualified counsel.

Acknowledgment

(to be completed by all members of the Workforce)

I, ____________________________, have read the dental practice’s Breach Notification Policies and Procedures and understand the contents. I have been instructed regarding situations that may suggest a possible breach of PHI as described in the Breach Notification Policies and Procedures. If I discover a possible breach of PHI, I will immediately bring the matter to the attention of the Office Manager.

By:________________________________

Print name: _______________________

Date:______________________________

Approved by: _____________________

Name: ____________________________

Title: ______________________________

Effective date: ____________________

Review Date: _____________________

This sample worksheet is an example of a tool that a covered dental practice may use to help comply with the HIPAA Breach Notification Rule. This resource has not been approved by the Office for Civil Rights (OCR). It should not be treated or considered as legal advice or as applicable to any particular dental practice. Rather, dental practices wishing to use this tool should adapt this resource in light of their own experience, applicable law, and the advice that the practice receives from qualified counsel.

Dental Center

Breach Notification Risk Assessment Worksheet

There is a presumption that a breach has occurred following every impermissible use or disclosure of patient information, so a covered dental practice may decide to notify without evaluating the probability that the patient information was compromised.

Notification is not required if our dental practice can demonstrate that there is a low probability that the patient information was compromised based on a written assessment of the relevant factors including, at a minimum, the following four factors:

1. The nature and extent of the patient information involved, including the types of identifiers and the likelihood of re-identification

2. The unauthorized person who used the patient information or to whom the disclosure was made

3. Whether the patient information was actually acquired or viewed, and

4. The extent to which the risk to the patient information has been mitigated

A covered dental practice may find it useful to use a worksheet to investigate suspected breaches. A compliant written risk assessment must be documented if notification is not provided because there is a low probability that the protected health information was compromised.

1. On what date was the breach discovered?

2. What happened?

3. Was the information PHI? If so, what type of PHI was involved?

4. Was the PHI properly "secured"?

5. Was there an acquisition, access, use, or disclosure of PHI?

6. Was the acquisition, access, use or disclosure permissible under HIPAA?

7. Does one of the three exclusions from the HIPAA definition of a "breach" apply?

1). Was it an unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of the dental practice or a business associate, who was acting in good faith and within the scope of his or her authority, and that will not result in further impermissible use or disclosure?

2). Was it an inadvertent disclosure by a person authorized to access the PHI at the dental practice or a business associate to another person who is authorized to access PHI at the same facility, and the PHI is not further impermissibly used or disclosed?

3). Was it a disclosure of PHI where a member of our dental practice believes in good faith that an unauthorized person to whom the PHI was disclosed would not reasonably have been able to retain the information?

8. Is there a low probability that the PHI was compromised, based on an assessment of the relevant factors, including, at a minimum, the four required factors?

1). Assess the probability of compromise based on the four required factors:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification

2. The unauthorized person who used the PHI or to whom the disclosure was made

3. Whether the PHI was actually acquired or viewed, and

4. The extent to which the risk to the PHI has been mitigated

2). List any other relevant factors and assess the probability of compromise based on those factors:

If notification is not provided because the above written risk assessment demonstrated a low probability of compromise, retain the written risk assessment for at least six years from the date it was created, or the date when it last was in effect, whichever is later.

If a breach of unsecured PHI has occurred and the probability of compromise is not low, appropriate notification, notices and reports must be provided. To provide information to support this obligation, please respond to the following questions:

9. What is our dental practice doing to investigate, mitigate harm, and protect against future breaches?

10. Does our dental practice lack sufficient or up-to-date contact information for any individuals affected by the breach?

If yes:

1). Has our dental practice attempted to obtain correct or updated information?

2). Does our dental practice lack contact information for nine or fewer individuals?

3). Does our dental practice lack contact information for ten or more individuals?

4). How will our dental practice provide substitute notice to these individuals?

• Nine or fewer: telephone, alternative written notice, or other means
• Ten or more: web posting or media notice

11. Were more than 500 individuals involved in a single state or jurisdiction?

If yes:

• What is the date that media notification was provided?
• Which media outlets were notified?

12. Were 500 or more individuals involved in the breach?

If yes, on what date was the Office for Civil Rights notified of the breach?

If no, has the breach been logged for annual submission to the Office for Civil Rights?

Retain copies of notification letters, substitute notice (website or media), notice to the Office for Civil Rights, media notice (if any), and any other documentation pertaining to this incident for six years from the date the document was created, or six years from the date when last in effect, whichever is later.

This sample notification letter is an example of a tool that a covered dental practice may use to help comply with the HIPAA Breach Notification Rule. Applicable state law may require additional information in notification letters. This resource has not been approved by the Office for Civil Rights (OCR). It should not be treated or considered as legal advice or as applicable to any particular dental practice. Rather, dental practices wishing to use this tool should adapt this resource in light of their own experience, applicable law, and the advice that the practice receives from qualified counsel.

Dear [NAME]:

On the morning of [DATE], a laptop containing unencrypted information of approximately [NUMBER] of our patients was stolen from the trunk of a locked car. The laptop contained the following information:

• Names and addresses
• Social Security numbers and dates of birth
• Dental records, including health history forms

Our dental practice is offering all individuals involved in the breach one year of free credit monitoring service. [INSERT INSTRUCTIONS FOR ACCESSING FREE CREDIT MONITORING SERVICE].

We also encourage you to order free annual credit reports from Experian, TransUnion, and Equifax. For information about how to order a free credit report, visit the website of the Federal Trade Commission at http://www.ftc.gov/bcp/edu/microsites/freereports/index.shtml.

When our dental practice discovered that the laptop had been stolen, we immediately contacted the police. We are notifying all individuals who may have been affected by this incident and we are developing new office procedures to prevent such events in the future, including requiring full disk encryption of all laptops.

If you have any questions or require additional information about this matter, please do not hesitate to contact me by telephone at [TELEPHONE NUMBER], by email at [EMAIL ADDRESS], or by U.S. mail at the above address.

Very truly yours,

The Breach Notification Rule defines "unsecured protected health information" to mean "protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public law 111-5." (45 CFR 164.402)

As of the date of this resource, the following guidance was in effect:

Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:

1. Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.

• Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.1
• Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.

2. The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

• Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
• Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that the PHI cannot be retrieved.

Footnote

1NIST Roadmap plans include the development of security guidelines for enterprise-level storage devices, and such guidelines will be considered in updates to this guidance, when available.

Source: Office for Civil Rights, Department of Health and Human Services, Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.

© 2013, 2014, 2021 American Dental Association. All rights reserved. Reproduction of this material by member dentists and their staff for use in the dental office is permitted. Any other use, duplication or distribution by any other party requires the prior written approval of the American Dental Association.

Revised February 4, 2020.

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the HIPAA Privacy Rule] which compromises the security or privacy of the protected health information.

(1) Breach excludes:

(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.

(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.

(iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

(2) Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the HIPAA Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

Source: 45 CFR 164.402, available in the OCR's Combined Regulation Text of All Rules.

PHI is "de-identified" and no longer protected by HIPAA if all 18 of the following identifiers of the individual and his or her relatives, employers, and household members are removed, and the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

This is a simplified list; exceptions may apply to certain identifiers. For the complete list, see 45 CFR 164.514(a), (b), and (c).

1. Names
2. Addresses, including city, county, precinct, zip code, and any other geographic subdivisions smaller than a State.
3. Dates related to an individual (for example, admission date or birthdate) and all ages over 89 (including birth year for those over 89)
4. Telephone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section unless the number, characteristic, or code:
    
    a. was not derived from or related to information about the individual and cannot be translated so as to identify the individual, and
    
    b. is not used or disclosed for any other purpose and the mechanism for re-identification is not disclosed.

Source: 45 CFR 164.514(a), (b), and (c), available in the OCR's Combined Regulation Text of All Rules