Incident Response 101: What Should You Document and Report after a HIPAA Breach?

HIPAA Breach ReportingIn the first two installments of this series discussing the next steps HIPAA regulated organizations must take after a security breach. So far, we have looked at:

Who is Required to Report a Breach?

When Do You Need to Report a Breach?

Next, let’s discuss what is to be reported following a data breach in your organization.

Disclaimer, we’re not a law firm and I don’t provide legal advice. The nuances of regulatory language and of each organization’s unique considerations depending on the type and severity of a potential breach can be extremely complex but I think these guidelines can point your team’s Incident Response & Reporting Strategy in the right direction.

Notification of Breach Under HIPAA

In a (very generalized, don’t base your whole plan just on this) nutshell, Covered Entities and Business Associates who have discovered leaked or breached data must report the incident to their patients, the Secretary of Health and Human Services and possibly even to the media. Who is responsible for the reporting may be specified in a Business Associate Agreement (but, ultimately, both parties are still responsible for the data). When and how the breach must be reported may depend on the number of individuals affected and the organization’s ability to reach those individuals in a timely fashion.

Notification to Affected Individuals

When determining what needs to be disclosed to affected individuals, you may need to call in legal expertise if you have not already done so. Those whose information was compromised need to be told:

What patient data was compromised, for example –

  • Personal information (name, address, Social Security number, etc.)
  • Medical information (diagnoses, prescriptions, etc.)
  • Financial information (banking, credit card, payment, etc.)
  • Account information (user name, password, etc

The next steps they should take, for example –

  • Change username and/or password
  • Notify bank/credit card company or watch those accounts
  • Subscribe to credit monitoring services (which your organization may determine is appropriate to provide for affected individuals)

The next steps your organization is taking, for example –

  • Investigating the cause of the breach
  • Mitigating and remediating the cause of the breach
  • Preventing such a breach from happening again

Contact Information for more details.

You will need to provide a toll free number for at least 90 days.

This information should all be posted on your website as well as, if necessary, shared with appropriate media channels.

Notification to Media

Even in the event of a small breach of data, if you cannot reach more than ten affected individuals by mail, email, or phone, you will need to notify major media outlets those individuals would be likely to see. If the breach affects more than 500 people, you will be required to notify appropriate media channels.

Before sharing information with the media, you will want to engage your Marketing team and probably legal advisors as well. Your Marketing team (or a marketing agency/PR firm) can help identify the right media outlets to work with and help with critical messaging that can avoid or minimize the potential for damage to your organization’s brand and reputation.

For breaches affecting over 500 individuals, your organization will also be listed on the OCR Breach Report.

Notification to the Secretary of Health & Human Services

Finally, you must notify the Secretary of Health and Human Services of the loss of patient data. The urgency of this required notification depends on the number of affected individuals. If data was compromised for more than 500 patients/clients/employees, HHS requires notification within 60 days. If there were fewer than 500 people impacted, you have the option to wait to make a report but it must be made within 60 days after the end of the calendar year in which the breach occurred.

To notify the Office of the Secretary of Health and Human Services, use the OCR Portal to enter the required details. If you are unsure of the exact number of individuals affected, you can estimate for this notification and revise your report later as necessary. The first question asked on the portal is whether you are filing a new report or an addendum to an existing report. If you have suffered a breach, be sure to file the report within the required timeframe even if you have missing or incomplete information. You will inevitably learn more in the course of your investigation that may require an addendum to be filed to give HHS a clear picture of the cause and steps you have taken to correct any issues.

You must complete all requested information on the Portal form to the best of your ability. In this Portal, you will be asked:

Are you a Covered Entity (CE), Business Associate (BA), CE filing for a BA, or BA filing for a CE.

You will need to give your organization’s contact information as well as that of the CE or BA that was also involved.

Detailed account of what happened:

  • Breach dates
  • Discovery dates
  • Type and location of the breach
  • Type of data involved Reporting a HIPAA Data Breach to OCR
  • A brief description or overview of the incident
  • and Safeguards in place prior (simply indicate: None, Privacy Rule, Security Rule, Administrative Rule, Physical Security Rule, and/or Technical)Reporting a HIPAA Data Breach to OCR

Notice of Breach and Actions Taken:

  • Individual notice start date, end/expected end date
    • Was substitute notice required for individuals who could not be reached?
    • Was media notice necessary?
  • Actions taken by your organization in response to the breachReporting a HIPAA Data Breach to OCR

Attestation:

Finally, you will need to complete the Attestation to the correctness and completeness of the information you are submitting.

Documentation and Potential for Investigation

If there is any chance (hint, there is always a chance) that OCR officials will question any details of your report, that the breach may trigger an audit, or that your organization may be selected for an audit (random or otherwise) in the future, you need to be sure that everything you have done, everything you have discovered, and everything you have reported is well documented.

This may require one point person with excellent attention to detail (possibly one of your legal advisors) to gather and organize all the information pertinent to the breach and your response. Maintain records of your attempts to notify individuals, your contact with media, and the reports and addendum(s) you have filed with the Office of the Secretary.

Your network and system log files will also be critical in documenting the technical evidence of when and how the breach occurred. This should be the easy part of documentation. If your system log data is not gathered reliably or in a way that is easy to understand and use, a good log management tool can save you from unnecessary headaches following a breach.

You may also be interested in the final installment of this series:

Subscribe Today to receive our monthly email newsletter
including new blog articles, news, and security awareness tips!