Running Head: STEPS YOU WOULD TAKE WHEN: 1

Steps you would take when conducting a

Federally mandated breach notification in the event of a

Health care data breach

HCIN-544-02-SU17 - Advanced Health Care Information Management

Amrit Virdee

University of San Diego

July 28th 2017

STEPS YOU WOULD TAKE WHEN CONDUCTING A FEDERALLY MANDATED: 2

The HIPAA Breach Notification Rule mandates that HIPAA covered entities provide

notification following a breach of unsecured protected health information. The Secretary of the

US Department of Health and Human Services (DHS) must be notified of the breach by using a

web portal located at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.

The obligations for reporting a breach differ based on whether more or less than 500 individuals

where involved in the breach. If the number of individuals affected by a breach is unknown an

estimate can be used which can then be updated on the portal if additional information is

discovered. The steps required for notification can be broken down into 3 critical step; sending

individual notices, providing information via a media channel and notifying the secretary about

the breach, and these are dependent on how many individuals were affected by the breach.

The first step would be to send individual notices to all affected individuals without

unreasonable delay and no later than 60 days following the discovery of the breach in a written

form sent via first class mail or via email if the individual has agreed to receive such notices.

The individual notices must include a brief description of the breach, the types of information

that may have been disclosed, the steps affected individuals need to take to protect themselves

from potential harm, covered entity contact information and a description of what the covered

entity is investigating, how they are mitigating any harm and how they will prevent further

breaches. If the covered entity has insufficient or out of date contact information for 10 or more

individuals, the covered entity must then provide a substitute notice such as posting on a website

for at least 90 days or provide a notice in a major print or broadcast media. The substitute notice

must include a toll-free number that concerned individuals can call to learn more about the

breach. This number must remain active for at least 90 days. The second step involves sending
STEPS YOU WOULD TAKE WHEN CONDUCTING A FEDERALLY MANDATED: 3

a media notice in the form of a press release without unreasonable delay and no later than 60

days following the breach of the discovery. The media notice requirement only applies to

breaches that involve 500 or more individuals of a State or jurisdiction. The media outlets

utilized must serve that affected State or jurisdiction. The third step involves notifying the

Secretary through the online portal mentioned above. If the breach affects 500 or more

individuals, covered entities must notify the Secretary without unreasonable delay and no later

than 60 days after the discovery of the breach. If the breach affects less than 500 individuals the

covered entity may notify the Secretary on an annual basis and no later than 60 days after the end

of the calendar year in which the breach was discovered.

STEPS YOU WOULD TAKE WHEN CONDUCTING A FEDERALLY MANDATED: 4

References:

Secretary, H. O., & (OCR), O. F. (2017, June 16). Covered Entities and Business Associates.

Retrieved July 29, 2017, from https://www.hhs.gov/hipaa/for-professionals/covered-

entities/index.html

Secretary, H. O., & (OCR), O. F. (2013, July 26). Breach Notification Rule. Retrieved July 29,

2017, from https://www.hhs.gov/hipaa/for-professionals/breach-notification