In a nutshell, what does the HIPAA Breach Notification Rule require?
Here is a very simplified summary. See below for more details, and for information about terms like "protected health information," "breach" and "unsecured."
To comply with the Breach Notification Rule, a covered dental practice must:
Develop and implement written breach notification policies and procedures.
Provide timely notification of any breach of unsecured protected health information to affected individuals, the Office for Civil Rights, and in some cases the media.
Retain documentation for the time period required by HIPAA.
What happens if a covered dental practice's business associate discovers a breach of unsecured PHI?
A HIPAA "business associate" is generally defined as an entity (or an individual who is not a member of the dental practice's workforce) that performs a service involving PHI for the dental practice.
A business associate that discovers a breach of the dental practice's unsecured PHI must notify the dental practice of the breach without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Unless the business associate agreement assigns breach notification responsibility to the business associate, the dental practice must provide any required notification to individuals, OCR, and, if required, to the media. The covered entity must provide the notification without unreasonable delay and in no case later than 60 calendar days after "discovery" of the breach, which often occurs when the dental practice receives notice of the breach from the business associate. However, if the business associate is deemed an "agent" of the dental practice under the federal common law of agency, then the dental practice would be deemed to have discovered the breach on the date that the breach was discovered by the agent, and notification must be provided no later than 60 calendar days after the date that the agent discovered the breach (rather than the date that the agent reported the breach to the dental practice).
The business associate must give the dental practice, to the extent possible, the identity of each individual whose unsecured PHI has been breached, and any other available information that the dental practice is required to include in the notification. The business associate may give the dental practice immediate notice of the breach and follow up with the other required information as it becomes available, as long as the business associate acts without unreasonable delay and within 60 days. If a business associate obtains any of the required information after notifications have been sent (or after the 60-day period), it should still provide the information to the dental practice.
If a business associate provides a dental practice with notice of a breach involving several covered entities, the dental practice must provide notice if any of the dental practice's PHI was involved in the breach. However, while the covered dental practice is ultimately responsible for assuring that appropriate notice is dispatched, in cases where the covered entities involved are not able to determine which entity's PHI was involved in the breach, the covered entities may have the business associate provide the notification to the media on behalf of all of the covered entities.
What is a "breach"?
The HIPAA definition of a "breach" has several layers.
In general, a suspected breach occurs when PHI is accessed, acquired, used or disclosed in a way that the HIPAA Privacy Rule does not permit, which compromises the security or privacy of the PHI.
There are three exclusions from the definition of a breach, which are listed in Appendix B.
According to the OCR website:
The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. The second exception applies to the inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.
The "compromise standard." Although the definition of breach includes the words "which compromises the security or privacy" of the PHI, there is a presumption that a breach has occurred following every impermissible use or disclosure of PHI.
A covered dental practice has the discretion to provide the required breach notifications following an impermissible use or disclosure of PHI without performing a risk assessment to determine the probability that the privacy or security of the PHI was compromised.
A dental practice must send breach notification unless it can demonstrate that there is a low probability that the patient information was compromised based on an assessment of the relevant factors including, at a minimum, the following four factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed, and
- The extent to which the risk to the PHI has been mitigated.
The assessment should be documented so that the dental practice can meet its burden of demonstrating that all notifications were made as required by the Breach Notification Rule, or that the use or disclosure did not constitute a breach.
Note about the 2013 Omnibus Final Rule. Effective March 26, 2013, the "compromise standard" discussed above has replaced the "harm standard." Under the prior rule, notification was not required unless the impermissible use or disclosure posed a significant risk of financial, reputational or other harm to the individual. This was referred to as the "harm standard." Covered dental practice must be in compliance with the new "compromise standard" no later than September 23, 2013.
What is "protected health information"?
In general, protected health information (PHI) is information that (a) identifies, or can be used to identify, an individual, and (b) relates to an individual's past, present, or future physical or mental health or condition, the provision of health care to an individual, or payment for health care.
PHI includes demographic information collected from an individual, such as name or address. PHI can be in any form, including electronic data, hard copy, or oral information. Examples of PHI include dental records, health histories, billing statements, explanations of benefits (EOBs), radiographs, and full-face photographs and comparable images that identify or that could be used to identify the patient.
The definition of PHI contains several exceptions. For example, PHI does not include employment records held by a covered dental practice in its role as an employer, or certain education records covered by the Family Educational Rights and Privacy Act.
Information is not PHI if it has been properly "de-identified." To de-identify PHI, one must remove all 18 HIPAA "identifiers" for the individual and his or her relatives, employers, or household members (see Appendix C for a simplified list of the 18 identifiers). In addition, the covered dental practice must have no actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. HIPAA also has rules permitting an expert, such as a qualified statistician, to determine if PHI has been de-identified.
State law may require notification even if the information breached was not PHI.
What is the Office for Civil Rights?
The Office for Civil Rights (OCR) is an agency of the U.S. Department of Health and Human Services. OCR is responsible for federal enforcement of HIPAA Privacy, Security and Breach Notification. The OCR website provides information about HIPAA compliance.
What should go in a covered dental practice's HIPAA Breach Notification Rule policies and procedures?
If your practice is a covered entity and it has not developed policies and procedures for handling suspected breaches, it should do so without delay. Breach notification policies and procedures will vary from practice to practice because each practice is different, faces different risks and vulnerabilities, and may need to be tailored to comply with applicable state laws.
Examples of such policies and procedures include:
Assigning responsibility for breach notification compliance
Defining procedures for discovering suspected breaches
Defining procedures for reporting suspected breaches (e.g., to the Privacy Official)
Procedures for investigating suspected breaches
Timeframe for sending any required notifications
Workforce members must be trained to comply with the dental practice's breach notification policies and procedures, and the dental practice is required to impose sanctions for any failure to comply.
Covered dental practices must create and retain documentation demonstrating compliance with the Breach Notification Rule. Examples include written policies and procedures, training records, records of any sanctions, copies of any notification letters and press releases, and, for any notification not sent, an appropriate written risk assessment demonstrating a low probability that the PHI was compromised. Documentation must be retained for at least six years from the date of its creation, or the date when it last was in effect, whichever is later. The dental practice must provide the documentation to the government in the event of a HIPAA investigation, compliance review, or audit.
See Section 4 for sample breach notification policies and procedures.
When is PHI "unsecured"?
Notification is not required if PHI is "secured." The rules for securing PHI are listed in the Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals from the Office for Civil Rights (OCR). The OCR Guidance is in Appendix A.
To summarize some of the information in the OCR Guidance:
Electronic data can be secured through appropriately encrypting the device (such as a laptop) or the file (such as a .pdf file attached to an email), as long as the encryption process or key has not been breached. A dental practice may need to work with a technical expert who is familiar with the OCR Guidance to develop procedures for encrypting PHI in the dental office. An electronic device can also be secured by appropriately clearing, purging, or destroying the device itself.
Paper, film, or other hard copy media is secured only if it has been shredded or destroyed such that the PHI cannot be read or reconstructed. In other words, hard copy PHI, such as paper dental records, is not considered "secured" for purposes of the Breach Notification Rule if it is intact and readable. In other words, protecting hard copy PHI (for example, by storing it under lock and key) can certainly help prevent a breach, but the hard copy PHI is still "unsecured" and notification is required if there is a breach. When it is appropriate to dispose of hard copy PHI, disposal should be by shredding or destroying the hard copies so that it is impossible to read or reconstruct it.
Oral PHI cannot be "secured" for breach notification purposes.
Redacted PHI is not considered "secured". For example, if a dental practice uses a marker to cover up all of the identifiers (see Appendix C) on hard-copy document, the document is not considered secured under the Breach Notification Rule. If a breach occurs, notification is required unless the covered dental practice can properly demonstrate a low probability of compromise (see above).
State law may require notification even if the information was secured.
Which dental practices must comply with the HIPAA Breach Notification Rule?
A dental practice is "covered" by HIPAA if the practice transmits any health information electronically in connection with a HIPAA "covered transaction." An example of a covered transaction is submitting a claim to a dental plan. A dental practice is also covered if someone else submits health information electronically on behalf of the practice (for example, a billing firm or clearinghouse).
A covered dental practice must comply with the HIPAA Privacy, Security and Breach Notification Rules. This resource only discusses compliance with the Breach Notification Rule. For more information about the other HIPAA rules, see The ADA Practical Guide to HIPAA Compliance Privacy and Security Kit, available through the ADA catalog.
For more information about whether a practice is a covered entity, see Are You a Covered Entity? (PDF) from the Center for Medicare & Medicaid Services.
HIPAA is a federal law, but many states have also enacted breach notification laws that may apply to breaches of certain information in a dental practice. All dental practices must understand and comply with applicable state breach notification laws. If an applicable state law is contrary to HIPAA and more stringent than HIPAA, a covered dental practice must comply with the state law. For example, a state breach notification law may require faster notification than HIPAA requires.
What is the HIPAA deadline for sending notification of a breach of unsecured PHI?
The HIPAA notification timeframe is short, and applicable state law may require even faster notification, so it is important to train staff to report suspected breaches immediately, and to promptly investigate all such reports to determine whether a breach of unsecured PHI has occurred.
Individuals. HIPAA requires the covered practice to notify affected individuals without unreasonable delay, and in no case later than 60 calendar days after "discovery" of the breach.
If state breach notification law applies to a breach of PHI, and state law requires faster notification than HIPAA, the state law would probably apply because the state law would likely be considered "more stringent" than HIPAA.
OCR. If the breach involves 500 or more individuals, a covered dental practice must notify OCR without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach. For breaches that affect fewer than 500 individuals, the dental practice must provide the Secretary with notice annually. Information and forms for notifying OCR of breaches are on the OCR web page Instructions for Submitting Notice of a Breach to the Secretary.
The Media. If media notification is required, the notification must be provided without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach.
When is a breach considered "discovered"?
A breach is generally treated as "discovered" as of the first day the covered dental practice knows of the breach, or would have known of the breach if the dental practice had exercised reasonable diligence.
A covered dental practice is deemed to have knowledge of a breach when any person who is a workforce member or agent of the dental practice has knowledge of the breach. There is a limited exception that may apply if the only person who knows about a breach is the person who committed the breach.
It is important for a covered dental practice to implement reasonable systems for discovering breaches, because the dental practice can be liable for failing to provide notice of a breach that a workforce member or agent knew about but did not report, or that the dental practice would have known about if it had exercised reasonable diligence.
Who is required to provide notification of a breach of unsecured PHI?
The covered dental practice is responsible for providing notification of a breach of unsecured PHI, even if the breach was discovered or caused by an employee, independent contractor, or business associate. In some cases, the business associate agreement may assign breach notification obligations to the business associate. If a third party, such as a vendor, performs any breach notification activities on behalf of the dental practice, the third party is likely a business associate of the dental practice, so a compliant business associate agreement must be in place between the dental practice and the third party.
What information must the notification contain?
The notice must contain:
A brief description of what happened, the date of the breach, and the date of discovery, if known.
A description of the type of unsecured PHI involved. The description should include only a description of the type of information involved. It should not include the PHI itself, particularly if the PHI is sensitive (e.g., Social Security number).
Any steps individuals should take to protect themselves from potential harm resulting from the breach.
A brief description of what the covered entity is doing to investigate, mitigate harm, and protect against further breaches.
Contact procedures for individuals to ask questions or learn additional information. Contact procedures must include a toll-free telephone number, email address, website, or postal address.
The notice should be written clearly, at an appropriate reading level, and should not include extraneous material that may diminish the message.
Covered entities must take reasonable steps to ensure meaningful communication to Limited English Proficient persons (notices may need to be translated). Effective communication with individuals who have disabilities may require accommodations such as providing notice in Braille, large print, or audio.
Covered dental practices must comply with applicable state law that is contrary to, but more stringent than, HIPAA. For example, if an applicable state breach notification law required additional information in the notification to individuals, a covered dental practice would likely have to provide the additional information in its notification letter.
Who must receive notification?
The U.S. Department of Health and Human Services
If the breach involves 500 or more residents of a particular state or jurisdiction, notification must be reported to prominent media outlets serving the affected state or jurisdiction (a "jurisdiction" refers to a geographic area smaller than a state—for example, a county or city).
For example, if a breach affects 200 people in Illinois, 200 people in Indiana, and 200 people in Iowa, the Covered Entity would not need to notify media outlets because the breach did not affect more than 500 persons in any one state. If the breach affected 600 people in Illinois and 600 people in Indiana, the Covered Entity would have to notify prominent media outlets in both states.
When notice to the media is required, it is in addition to and does not replace notice to the affected individuals.
How must notification be provided?
A breach of unsecured PHI requires notification to individuals, the Office for Civil Rights, and in some cases the media:
A. Providing notice to individuals
A dental practice must provide written notice to the affected individuals at their last known address by first class mail (or by email, if the individual has agreed to receive notice by email).
Urgent notice. In cases that the dental practice deems urgent (based on the possibility of imminent misuse of the PHI), the practice may give notice by telephone or other method. If a dental practice gives telephone or other notice in an urgent case, the practice must still provide written notice.
Deceased. If an affected individual is deceased, the dental practice should send notice to their next of kin or personal representative, if the individual had given the practice that contact information.
Minors and individuals lacking legal capacity. If the affected individual is a minor or otherwise lacks legal capacity due to a physical or mental condition, the dental practice should send notice to the individual's personal representative (such as a minor's parent or guardian).
Insufficient contact information. If a dental practice has insufficient or out-of-date contact information for any of the affected individuals, the practice may attempt to obtain correct or updated information and send the appropriate written notice to those individuals. If the dental practice is unable to obtain contact information, the practice must provide "substitute notice." Substitute notice should be provided as soon as reasonably possible after the dental practice is aware that it has insufficient or out-of-date contact information for one or more individuals. The means of providing substitute notice depends on whether the dental practice lacks contact information for fewer than 10 individuals, or for ten or more individuals.
Substitute notice to fewer than 10 individuals. If a dental practice lacks sufficient or up-to-date contact information for fewer than 10 individuals, the dental practice must provide substitute notice that is reasonably calculated to reach the affected individuals. The dental practice may provide the notice via telephone or email (even if the individual has not agreed to receive notice via email), or the dental practice may post notice in its website or another location, so long as it is reasonably calculated to reach the affected individual.
Substitute notice to 10 or more individuals. A dental practice that has insufficient or out-of-date contact information for 10 or more individuals must post notice in one of two ways:
Option 1: Dental practice website. The dental practice may provide substitute notice to 10 or more individuals by posting a conspicuous notice for a period of at least 90 days on the homepage of the dental practice website. The dental practice may use a hyperlink to the notice on the homepage, as long as the hyperlink is prominent—the hyperlink should be noticeable given its size, color, and graphic treatment in relation to other parts of the page. The wording of the hyperlink should convey the nature and importance of the information. The hyperlink must link to a notice containing the required information. The notice must include a toll-free telephone number that will remain active for at least 90 days for individuals to call and inquire.
Option 2: Major print or broadcast media. The dental practice may provide substitute notice to 10 or more individuals by means of a conspicuous posting in a major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. The practice must choose the major print or broadcast media in the geographic area(s) where the affected individuals are likely to reside that is most reasonably calculated to reach them. In a rural area, it may be the local newspaper. In an urban area, the newspaper serving the entire metropolitan area (or the entire state) may be more likely to reach the affected individuals. If the individuals live in different regions or state, it may be necessary to notify multiple media outlets. The notice should be conspicuous and noticeable (similar to the website notice discussed above) so as to be reasonably calculated to reach the affected individuals. The notice must include a toll-free telephone number that will remain active for at least 90 days for individuals to call and inquire
B. Providing notice to OCR
A dental practice must keep a log of all breaches and report the breaches annually to OCR. Breach logs must be retained for a period of six years, and must be available to OCR upon request.
If a breach affects 500 or more individuals, the covered entity must notify OCR without unreasonable delay and in no case later than 60 days from the discovery of the breach.
C. Providing notice to the media
A dental practice must report breaches affecting more than 500 residents of a particular state or jurisdiction to prominent media outlets serving the affected state or jurisdiction (a "jurisdiction" is a geographic area smaller than a state, such as a county, city, or town). OCR expects that dental practices will use press releases to make such reports. The press release must be sent to a media outlet that is reasonably calculated to reach the affected individuals. The notice to the media must include a toll-free number.
Is it possible that the toll-free number in my substitute notice will result in too many calls?
Substitute notice must include a toll-free phone number that remains active for at least 90 days, and where an individual can learn whether his or her unsecured PHI may be included in the breach. If you are concerned about receiving calls from unaffected individuals, include information in the notice itself to help readers determine whether their information may have been included in the breach.
Let's say a dental practice discovers a breach of unsecured PHI involving more than 500 individuals in a single state or jurisdiction (so it needs to provide media notification), and the dental practice has insufficient contact information for more than 10 of the individuals (so it needs to provide substitute notice). If the dental practice elects not to provide substitute notice through its website, must the dental practice provide BOTH media notice AND substitute notice through the media?
The Breach Notification Rule appears to require that a dental practice in this situation must provide both a conspicuous posting for purposes of substitute notice and media notice in the form of a press release.
Is Puerto Rico considered a "state or jurisdiction" for purposes of providing media notice?
Yes. For purposes of the Breach Notification Rule, "State" includes the 50 U.S. states, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa and the Commonwealth of the Northern Mariana Islands.
How must a dental practice proceed if a law enforcement official instructs the dental practice to delay notification because sending notices would impede a criminal investigation?
HIPAA breach notification must be delayed if a law enforcement official determines that notification, notice, or posting would impede a criminal investigation or cause damage to national security.
If the law enforcement official provides the dental practice a statement in writing that specifies how long a delay is required, the dental practice must delay notification for that period of time.
If the law enforcement official provides oral instructions to the dental practice, the dental practice must document the statement and identity of the official and delay notification for no longer than 30 days, unless a written statement specifying the length of the delay required is received during the 30-day period.
When did the Breach Notification Rule go into effect?
The HIPAA Breach Notification Rule went into effect on September 23, 2009, and sanctions may be imposed for breaches that are discovered on or after February 22, 2010. The 2013 Omnibus Final Rule changed the requirements for complying with the Breach Notification Rule effective March 26, 2013, and covered dental practices must be in compliance with the new rules by September 23, 2013.
What are the penalties for failure to comply with the Breach Notification Rule?
Sanctions for failure to comply with HIPAA include penalties that can reach thousands, or even millions, of dollars.
Where can I find the text of the Breach Notification Rule?
The OCR website has the Combined Regulation Text of All Rules. The PDF of the combined text includes the Security, Privacy and Breach Notification Rules.
The Breach Notification Rule begins on page 71 of the PDF and includes § 164.400 through § 164.414.