HIPAA Breach Notification: What You Need to Know

As a chiropractic practice, you have specific responsibilities regarding HIPAA. One such responsibility is reporting breaches that compromise the privacy or security of patient information. For breach notification to be done correctly and to prevent fines from improper reporting, it is essential to understand breach notification rules.

What is a Reportable Breach?

Not all incidents are considered breaches. For instance, if an encrypted device containing electronic protected health information (ePHI) is lost or stolen, the incident is not a reportable breach. Why? Because the ePHI cannot be accessed by an unauthorized party. If the information on the device is not encrypted, the incident is a reportable breach.

Other instances in which an incident is a breach include:

  • Hacking incidents.
  • Unauthorized access to PHI (whether it be an outside party or a member of your workforce accessing PHI without cause).
  • Improper disposal of medical records.
  • Loss or theft of paper medical records.

When Should Breaches Be Reported?

There are two classifications of breaches that chiropractic practices should be aware of, breaches affecting less than 500 patients and breaches affecting 500 or more patients. These two classifications have different reporting requirements.

  • Less than 500 patients affected: these breaches can be documented throughout the calendar year and reported in one breach report to the Department of Health and Human Services (HHS). These breach reports must be submitted by March 1st in the year following (i.e., a small-scale breach occurring in June 2023 would be reportable by March 1, 2024).
  • 500 or more patients affected: these breaches have stricter reporting requirements. Larger breaches must be reported to HHS within 60 days of discovering the incident.

Who Else Do You Need to Report Breaches to?

Other than the government, breaches must also be reported to affected patients without unreasonable delay. Essentially, patients must be notified in writing within sixty 60 days of discovery. Healthcare organizations must also notify local media outlets if the breach affected 500 or more patients. Lastly, incidents involving criminal activity must be reported to law enforcement for investigation. If a breach compromises the privacy of Social Security numbers, credit monitoring services must be notified, and patients must be offered complimentary identity theft protection and credit monitoring services.

What to Include in Patient Breach Notification Letters

Breach notification letters must include the following information:

  • A brief description of the breach.
  • A description of the types of information that were involved in the breach.
  • The steps affected individuals should take to protect themselves from potential harm.
  • A brief description of what the breached entity is doing to investigate the breach, mitigate the harm, and prevent further breaches.
  • Contact information for the breached entity.

State Breach Notification Requirements

It is important to note that some states have stricter breach notification laws than HIPAA. Where state law is stricter, practices must comply with the requirements of the state law.

Compliancy Group’s simplified software solution, coupled with Compliance Coach® guidance, help chiropractors achieve HIPAA compliance with ease. With Compliancy Group, ACA’s Preferred HIPAA Solution, chiropractors can be confident in their compliance program. Find out more about Compliancy Group and HIPAA compliance.


Image credit: Christina Morillo