What To Do When There is a Breach of Protected Health Information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to protect the privacy of individually identifiable health information, known as protected health information (PHI).  HIPAA was amended by the Health Information Technology for Economic and Clinical Health (HITECH Act) in 2009 to expand the scope of the privacy and security provisions of HIPPA.  HIPAA, HITECH and the enabling regulations provide that that when there is a breach of PHI, a covered entity, which includes a health and welfare plan, must provide notice of the breach to all individuals whose PHI was accessed, acquired, used, or disclosed as a result of the breach.  The health plan must notify individuals without unreasonable delay and in no case later than 60 days after discovery of the breach, and the notification must including the following information:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
  • A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach; and
  • Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address

A covered entity must also provide notice of the breach to the Secretary of the Department of Health and Human Services (HHS).  If the breach involves less than 500 individuals, the covered entity must maintain a log of all breaches involving less than 500 individuals for the calendar year, and within 60 days after the end of each calendar year, provide notice to HHS.  If the breach involves 500 or more individuals, the covered entity must provide notice to HHS contemporaneously with the notice to individuals and must notify HHS through HHS’s website.  Further, if the breach involves 500 or more individuals in a state or jurisdiction, the covered entity must notify prominent media outlets serving the state or jurisdiction, which may include a daily newspaper or local television station.

For more information about what to do in the event of a breach of PHI, please contact your Trust Fund counsel.

By Ezekiel D. Carder

Legal Developments