HIPAA Breach Notifications for Employers
By Brian Gilmore | Published October 16, 2020
**Question: **How do employers determine whether a HIPAA breach has occurred, and what are the employer’s breach notification obligations?
**Short Answer: **Once the employer determines that a breach of unsecured PHI has occurred in a self-insured health plan, HIPAA requires notice to the affected individuals, HHS, and in some cases the media depending on the scope of the breach.
Reminder: HIPAA Privacy and Security Rules Apply to “Covered Entities”
The HIPAA privacy and security rules apply to the following Covered Entities:
Health Plans- Employer-sponsored group health plans
Health insurance carriers (including HMOs)****- Government health programs (Medicare, Medicaid, IHS, TRICARE, etc.)
Health Care Clearinghouses
Health Care Providers (transmitting health information electronically)- Doctors, nurses, hospitals, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, etc.
Typical employer-sponsored group health plans subject to these HIPAA privacy and security rules include:
Medical
Dental
Vision
Health FSA
HRA
EAP
Wellness Programs
For more details, see our Newfront Office Hours Webinar: HIPAA Training for Employers.
Definition of a HIPAA Breach
A HIPAA breach is defined as the acquisition, access, use, or disclosure of unsecured protected health information (PHI) in a manner not permitted, which compromises the security or privacy of the PHI.
PHI is individually identifiable health information maintained or transmitted by a covered entity or business associate. PHI is considered “unsecured” where it is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of encryption (or destruction). HHS has a useful guide to encryption standards for this purpose here: https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
Important Note: The exclusion of enrollment/disenrollment information from the definition of PHI subject to HIPAA protection significantly limits the scenarios where a breach may occur. Enrollment/disenrollment information held by the covered entity in its role as employer is considered an employment record that is not PHI, provided such records do not include any substantial clinical information. For more details, see our Newfront Office Hours Webinar: HIPAA Training for Employers.
Determining Whether a Breach Has Occurred:** The Risk Assessment**
An impermissible use or disclosure of unsecured PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised. This analysis is referred to as the risk assessment.
The risk assessment must be based on at least the following factors:
The nature and extent of the PHI involved (including the types of identifiers and the likelihood of re-identification);
The unauthorized person who used or had access to the PHI;
Whether the PHI was actually acquired or viewed; and
The extent to which the risk to the PHI has been mitigated.
Given the presumption of a breach in the revised HITECH Act regulations, it is difficult for a covered entity or business associate to come to the conclusion that a breach has not occurred where there has been an impermissible use or disclosure of unsecured PHI.
Determining Whether a Breach Has Occurred: The Three Exclusions from Breach
The regulations carve out three specific situations where there is no HIPAA breach despite the impermissible use or disclosure of unsecured PHI:
Unintentional Access/Use of PHI by Workforce Member: If a person acting under the authority of a covered entity or business associate unintentionally acquires, has access to, or uses PHI while acting in good faith and within the scope of that authority, this mistaken access by a workforce member will not rise to a HIPAA breach as long as the mistake does not result in further impermissible uses or disclosures of PHI.
Example: A People Ops employee within the HIPAA firewall is tasked with plan administrative functions for the dental and vision plan. The employee unintentionally accesses claims information for an employee related to the medical plan (e.g., because an internal systems error) despite no plan-related need to know that claims information. This would likely fall within the exception.
Inadvertent Disclosure of PHI to Authorized Person: If a person who is authorized to access PHI at a covered entity or business associate inadvertently discloses PHI to another person authorized to access PHI at the same covered entity or business associate, this mistaken disclosure will not rise to a HIPAA breach as long as the disclosure is not further used or disclosed impermissibly.
Example: A People Ops employee within the HIPAA firewall is tasked with plan administrative functions for the dental and vision plan. The employee unintentionally has access to claims information for an employee related to the medical plan (e.g., because of a misdirected internal email) despite no plan-related need to know that claims information. This would likely fall within the exception.
**No Reasonable Ability to Access PHI: **There is no HIPAA breach if the covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Example: A health plan employee mistakenly sends a participant’s EOB by regular mail to the incorrect address, and the letter is returned unopened by the post office as undeliverable. This would likely fall within the exception.
**Breach Notification Step #1: **Notice to Affected Individuals
Upon discovering a breach of unsecured PHI, the covered entity must notify the affected individuals without unreasonable delay, and in no event later than 60 calendar days following discovery of the breach (or, if earlier, when the breach would have been discovered by exercising reasonable diligence). Note that 60 days is an outer limit. Notification may need to be sooner under the underlying “without unreasonable delay” governing standard.
How to Provide the Notice:
The notice generally must be in writing and provided by first-class mail to the last known address of the individual (or by email if the individual has agreed to electronic notice).
If the contact information is insufficient or out-of-date, the covered entity must use “substitute notice.” If there are 10 or fewer individuals subject to substitute notice, the covered entity must use an alternative form of written notice, telephone, or other means. If there are 10 or more individuals subject to substitute notice, the covered entity must be by conspicuous posting for 90 days on the home page of the covered entity’s website, or conspicuous notice in major print or broadcast media in geographic areas where the affected individuals likely reside.
If the covered entity determines that notice is urgent because of possible imminent misuse of the unsecured PHI, the covered entity may provide notice by telephone or other means, as appropriate.
Content of the Notice:
The notice must include the following elements written in plain language:
A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
A description of the types of unsecured PHI that were involved in the breach (such as whether full name, SSN, DOB, home address, account number, diagnosis, disability code, or other types of information were involved);
Any steps the individuals should take to protect themselves from potential harm resulting from the breach;
A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protected against further breaches; and
Contact procedures for individuals to ask questions or learn additional information, including toll-free phone number, email address, website, or postal address.
**Breach Notification Step #2: **Notice to HHS
Breaches Involving Fewer Than 500 Individuals:
For breaches of unsecured PHI involving fewer than 500 individuals, the covered entity must report the breach to HHS via its website within 60 days of the end of the calendar year (i.e., by the end of February of the year following the breach). The covered entity must maintain a contemporaneous log of any such breaches that occur during the year to later use when completing the reporting requirement.
Breaches Involving 500 or More Individuals:
For breaches of unsecured PHI involving 500 or more individuals, the covered entity must report the breach to HHS via its website without unreasonable delay, and in no event later than 60 calendar days following discovery of the breach (or, if earlier, when the breach would have been discovered by exercising reasonable diligence).
Breaches are reported to HHS via its website here: https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
HHS maintains a publicly accessible list of HIPAA breaches affecting 500 or more individuals that have been reported within the last 24 months here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
**Breach Notification Step #3: **Notice to the Media (500+ Only)
Covered entities are required to notify prominent media outlets serving the state or jurisdiction if the breach of unsecured PHI involves more than 500 residents of a state or jurisdiction.
The covered entity must report the breach to the media without unreasonable delay, and in no event later than 60 calendar days following discovery of the breach. The notice to the media must include the same content as is required in the notice to the affected individuals.
What if the Breach Occurs at an Insurance Carrier of a Fully Insured Plan?
In this case, the insurance carrier is directly responsible for satisfying all of the applicable HIPAA breach notification obligations because the carrier is itself a HIPAA covered entity. There is no action item for the employer plan sponsor.
What if the Breach Occurs at a Business Associate of a Self-Insured Plan?
Business associates include any third-party that creates, receives, maintains, or transmits PHI on behalf of the covered entity. For more details, see our prior post: When is a HIPAA BAA Required?
A prototypical example would be the TPA for a self-administered plan that acts as the ASO and claims administrator. Note that in many cases the TPA for a self-insured plan is an entity that also acts as an insurance carrier for many plans. However, when acting as a TPA for a self-insured plan, the entity is taking the role as a business associate rather than an insurance carrier/covered entity.
Where the breach occurs at a business associate, the business associate must notify the covered entity of the breach. The covered entity is then responsible for satisfying the breach notification obligations described above, even though the breach occurred at one of its business associates.
Under the standard HIPAA rules, business associates must notify the covered entity of the breach without unreasonable delay, and in no event later than 60 calendar days following discovery of the breach (or, if earlier, when the breach would have been discovered by exercising reasonable diligence). However, many BAAs include terms to provide a shorter outer limit (e.g., 15 calendar days) for the business associate to notify the covered entity of the breach to ensure that the covered entity has sufficient time to satisfy its breach notification obligations. Where the business associate is acting as an agent of the covered entity, the covered entity’s 60-day outer notification limit applies based on the date the business associate discovers the breach—it is not based from the date the business associate notifies the covered entity.
Lastly, in some situations the terms of the BAA will expressly delegate the breach notification obligations to the business associate. In these arrangements, the business associate will be contractually obligated to notify the affected individuals, HHS, and (if applicable) the media on behalf of the covered entity. This arrangement is generally preferred from the covered entity’s perspective because the business associate that suffered the breach is generally a) a large entity specialized in health plan administration and experienced in HIPAA breach notification obligations, and b) in a better position to satisfy the requirements by virtue of having already assessed the situation that occurred within its systems.
For a full recorded HIPAA training session, see our Newfront Office Hours Webinar: HIPAA Training for Employers.
Regulations
45 CFR §164.402:
As used in this subpart, the following terms have the following meanings:
Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
(1) Breach excludes:
(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.
(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.
(iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
(2) Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated.
Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.
45 CFR §164.404:
(a) Standard.
_(1) _General rule.A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.
_(2) _Breaches treated as discovered.For purposes of paragraph (a)(1) of this section, §§164.406(a), and 164.408(a) , a breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency).
(b) Implementation specification: Timeliness of notification.Except as provided in §164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
(c) Implementation specifications: Content of notification.
_(1) _Elements.The notification required by paragraph (a) of this section shall include, to the extent possible:
(A) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
(B) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(C) Any steps individuals should take to protect themselves from potential harm resulting from the breach;
(D) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
(E) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
_(2) _Plain language requirement.The notification required by paragraph (a) of this section shall be written in plain language.
(d) Implementation specifications: Methods of individual notification.The notification required by paragraph (a) of this section shall be provided in the following form:
_(1) _Written notice.
(i) Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available.
(ii) If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual (as specified under §164.502(g)(4) of subpart E), written notification by first-class mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available.
_(2) _Substitute notice.In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual under paragraph (d)(1)(i) of this section, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of the individual under paragraph (d)(1)(ii).
(i) In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means.
(ii) In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall:
(A) Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and
(B) Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual’s unsecured protected health information may be included in the breach.
_(3) _Additional notice in urgent situations.In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (d)(1) of this section.
45 CFR §164.406:
(a) Standard.For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery of the breach as provided in §164.404(a)(2), notify prominent media outlets serving the State or jurisdiction.
(b) Implementation specification: Timeliness of notification.Except as provided in §164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
(c) Implementation specifications: Content of notification.The notification required by paragraph (a) of this section shall meet the requirements of §164.404(c).
45 CFR §164.408:
(a) Standard.A covered entity shall, following the discovery of a breach of unsecured protected health information as provided in §164.404(a)(2), notify the Secretary.
(b) Implementation specifications: Breaches involving 500 or more individuals.For breaches of unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in §164.412, provide the notification required by paragraph (a) of this section contemporaneously with the notice required by §164.404(a) and in the manner specified on the HHS Web site.
(c) Implementation specifications: Breaches involving less than 500 individuals.For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site.
74 Fed. Reg. 42740, 42754 (Aug. 24, 2009):
If a business associate is acting as an agent of a covered entity, then, pursuant to § 164.404(a)(2), the business associate’s discovery of the breach will be imputed to the covered entity. Accordingly, in such circumstances, the covered entity must provide notifications under § 164.404(a) based on the time the business associate discovers the breach, not from the time the business associate notifies the covered entity. In contrast, if the business associate is an independent contractor of the covered entity (i.e., not an agent), then the covered entity must provide notification based on the time the business associate notifies the covered entity of the breach. As reflected in the comments we received in response to the timing of business associate notification to a covered entity following a breach, covered entities may wish to address the timing of the notification in their business associate contracts
78 Fed. Reg. 5565, 5581-5656 (Jan. 25, 2013):
An analysis of whether a business associate is an agent will be fact specific, taking into account the terms of a business associate agreement as well as the totality of the circumstances involved in the ongoing relationship between the parties. The essential factor in determining whether an agency relationship exists between a covered entity and its business associate (or business associate and its subcontractor) is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity. The right or authority to control the business associate’s conduct also is the essential factor in determining whether an agency relationship exists between a business associate and its business associate subcontractor. Accordingly, this guidance applies in the same manner to both covered entities (with regard to their business associates) and business associates (with regard to their subcontractors).
…
Because of the agency implications on the timing of breach notifications, we encourage covered entities to discuss and define in their business associate agreements the requirements regarding how, when, and to whom a business associate should notify the covered entity of a potential breach.
Brian Gilmore
Lead Benefits Counsel, VP, Newfront
Brian Gilmore is the Lead Benefits Counsel at Newfront. He assists clients on a wide variety of employee benefits compliance issues. The primary areas of his practice include ERISA, ACA, COBRA, HIPAA, Section 125 Cafeteria Plans, and 401(k) plans. Brian also presents regularly at trade events and in webinars on current hot topics in employee benefits law.
Connect on LinkedIn