While there is not a prescribed form for notice, the regulations do require some specific elements, including:
- Description of the breach and the dates, if known;
- Description of the protected health information involved;
- Steps the affected individual should take to protect themselves (e.g., cancel credit cards);
- Description of the steps being taken by the covered entity; and
- Contact information to obtain more information, which must include a toll-free telephone number, e-mail or postal address, or Web site.
If 10 or more individuals are involved for which the entity does not have adequate contact information, notice can be accomplished by a conspicuous posting on the entity’s Web site for at least 90 days, or a posting in print or broadcast media. In either case, an active toll-free telephone number where individuals can find out if they were affected must be available for 90 days.
If a breach involves more than 500 people from any one state, notification must include prominent media outlets. Moreover, the covered entity must notify the HHS secretary at the time notice is provided to affected individuals. Breaches involving fewer than 500 individuals must be reported annually through the Office of Civil Rights Web site.
Sanctions and Penalties
HHS is required to audit, investigate, and impose civil monetary penalties for offenses resulting from willful neglect. Fortunately, HHS has indicated that it will not be imposing sanctions for unintentional violations of the notification requirements until March. This gives providers some time to implement the necessary processes. Nonetheless, it is important to implement compliance processes now, as the penalties for noncompliance can be severe. Under the new law, penalties are tiered based on knowledge, and are capped at $1.5 million annually.
For more information about HIPAA, visit www.hhs.gov/ocr/privacy. TH
Patrick T. O’Rourke works in the Office of University Counsel at the University of Colorado Denver. Kari Hershey is a public relations consultant with Budman & Hershey, LLC, in Denver.