Healthcare organizations must notify individuals of breaches promptly, within 60 days of discovery, primarily through written notice sent by first-class mail. Electronic notification is allowed with explicit consent and secure methods. Prohibited methods include unsecured channels like text messages and personal emails. Notifications should be clear, detail the breach, advise protective actions, and maintain a respectful tone.
Under the HIPAA Breach Notification Rule, covered entities must notify individuals if their protected health information (PHI) has been compromised. According to the HHS, "a breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.". Definitive Healthcare also found that "as of the end of February 2024, the number of healthcare data breaches for the year was already nearly 100.”.
Healthcare organizations must therefore conduct thorough risk assessments to determine the likelihood of the PHI being compromised and the potential impact on affected individuals.
Read more: What are the HIPAA breach notification requirements
Healthcare organizations must notify affected individuals without undue delay and no later than 60 days from discovering the breach unless law enforcement delays notification. Early notifications empower individuals to protect themselves from potential harm. Delays in notification can undermine patient trust and compliance with legal requirements, potentially leading to regulatory penalties.
HIPAA does not allow unsecured methods such as regular text messages, personal email accounts, or social media due to the heightened risk of unauthorized access. Faxing is discouraged unless healthcare organizations can ensure secure transmission, as traditional fax machines are vulnerable to interception.
Related: What happens if an email is not encrypted?
Provide breach notifications in languages spoken by diverse patient populations to ensure understanding and compliance among all affected individuals. This practice meets regulatory requirements and demonstrates respect for cultural and linguistic diversity within the patient community. Healthcare organizations should maintain a list of commonly spoken languages among their patient population and have access to translation services or bilingual staff to facilitate accurate communication.
Notifications must be accessible to individuals with disabilities to ensure equal access to information. Use larger font sizes and plain language in written notices to enhance readability. For electronic notices, ensure compatibility with screen readers and other assistive technologies commonly used by individuals with visual impairments or other disabilities. Providing alternative formats upon request, such as Braille or audio recordings, further enhances accessibility and compliance with accessibility standards.
No, HIPAA does not permit using social media or public forums to notify individuals of a breach. Healthcare organizations should send notifications securely via first-class mail or secure electronic communications.
HIPAA breach notification requirements apply to the PHI of deceased individuals. Healthcare organizations should notify the next of kin or personal representative of the deceased person, as applicable, using the same notification methods as for living individuals.
Healthcare organizations must conduct a risk assessment to determine if the PHI was encrypted or rendered unreadable if a device with PHI is lost or stolen. If the PHI was unencrypted and the device is lost or stolen, notification to affected individuals is typically required.