HIPAA Regulatory Alert

Breach notification process spelled out

HITECH is very specific about actions to take

Although prior privacy requirements called for home health agencies to notify patients when a breach of privacy was discovered, the Health Information Technology and Economic and Clinical Health Act of 2009 (HITECH) specifically identifies time frames and content of notifications.

Once a home health agency discovers a breach of unsecured protected health information, each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed, must be notified no later than 60 days after discovery.

Notifications must include:

• a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;

• a description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);

• any steps individuals should take to protect themselves from potential harm resulting from the breach;

• a brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches;

• contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address.

All of the notifications must be made in writing, and they must be written in plain language.

The notifications can be mailed or, if the individual has approved electronic communications, sent by e-mail.

Special circumstances, such as death of the individual, incorrect mailing address, or urgent need to contact individual also are addressed in the requirements.