What Does a Breach Notification Letter Mean?

What Does a Breach Notification Letter Mean?

Before diving into what a breach notification letter is, it is important to understand where they come from and why they are necessary. Breach notification letters are required by the breach notification rule under the HIPAA Breach Notification Rule, GLBA and the FTC Safeguards rule, and a myriad of state and local laws. Although many of these laws differ on what they say and exactly what they require, generally entities covered by that law or rule are required to submit a notice to any consumer whose protected information has been accessed and/or acquired by an unauthorized third party. For HIPAA, that’s protected health information held by covered entitles; for state laws that’s any organization holding your social security number or other personal identifying information (just to add another layer of complexity, the list of what constitutes PII is different in every state…). Under these breach notification rules the entity who has lost confidentiality of your information needs to tell you what was lost, what happened, and may provide some type of credit monitoring. Seemingly pretty straightforward, but these letters are written by lawyers and required by law, so they often are more than meets the eye.

What Constitutes a Breach?

Since there are many breach notification laws on the books in every jurisdiction, let’s start our conversation by focusing on one that has very well understood rules— HIPAA. In essence, a breach within the context of HIPAA occurs when there is unauthorized disclosure (that is access OR acquisition) of protected health information that compromises its security or privacy. This breach is presumed unless the entity involved can demonstrate a low probability of compromise through a risk assessment considering factors like the nature of the information, who accessed it, whether it was actually obtained, and efforts made to mitigate the risk. This analysis is highly fact dependent; hoping nothing was actually taken, or that the bad guys are being honest when they say nothing will happen is not generally enough to reach this high threshold.

There are three exceptions to the breach definition: unintentional acquisition, access, or use by authorized individuals within their scope of authority and in good faith; inadvertent disclosure between authorized individuals within the same entity or arrangement; and instances where the entity believes the unauthorized recipient wouldn’t retain the information. Or in other words, keeping the information in the organization, but to the wrong person or a lost, but encrypted laptop left somewhere in a taxi.

The Breach Notification Letter

In the event of a breach of PHI (personal health information) there are three types of notices that must be made. There must be a notice to the individual whose information has been compromised, a notice to the media (in some cases only where more than 500 people are affected), and a notice to the Secretary of Health and Human Services. This echoes other breach notification statutes of being required to notify the impacted individuals, the community if it’s really big, and the regulator.

Notice to an Individual

Covered entities must inform affected individuals upon discovering a breach of unprotected health information. HIPAA is unique in that it is more flexible in the means of notification, since this notification can be sent via mail or email if the individual has agreed to electronic notices. However, if contact information for 10 or more individuals is outdated, the entity must post a notice on its website or in local media. Regardless, they must also provide a toll-free number for inquiries in the notice to the individual. For fewer than 10 individuals, alternative notification methods can be used.

These notifications must be prompt, within 60 days of discovering the breach. They should include a brief description of the breach, the type of information involved, steps for individuals to safeguard themselves, and contact details for further inquiries.

In cases where a business associate is involved in the breach, the responsibility for individual notifications may be delegated to them by the covered entity. Deciding who notifies individuals depends on factors such as the business associate’s role and the existing relationship with the affected individuals.

These are the types of letters that you get, “out of an abundance of caution.” The bottom line to that is if they didn’t have to send you a letter, they would likely try to find a way to get out of it. If you get a letter like this, you should immediately sign up for the offered credit monitoring and change your passwords for everything. They may say only certain types of data were impacted, but they are only often legally required to tell you if certain categories of protected health information or other personal identifiable information was impacted. This does not always include usernames and passwords, credit card numbers without pins, or other types of account information.

Notice to the Media

Covered entities facing breaches impacting over 500 residents of a State or jurisdiction must notify prominent local media outlets alongside affected individuals. This typically involves issuing a press release. Like individual notifications, media alerts must be timely, within 60 days of discovering the breach, and include the same essential information. If done with an astute lawyer, this notice will be done on a holiday weekend at night to avoid scrutiny.

Notice to the Regulatory Body

Entities covered by HIPAA, apart from informing affected individuals and media (if necessary), are also obligated to report breaches of unsecured protected health information to the Secretary of HHS. This is done by filling out and submitting a breach report form electronically on the Health and Human Services website. For breaches impacting 500 or more individuals, notification to the Secretary must be prompt, within 60 days of the breach. For breaches affecting fewer than 500 individuals, entities can report them annually by submitting reports to the Secretary no later than 60 days after the end of the calendar year in which the breaches were discovered. This notice to the regulator starts the clock for investigations and is often when scrutiny occurs since HHS OCR as well as other states’ Attorneys General publish the notification letters which are often picked up by plaintiff’s attorneys, the media, and other concerned citizens.

Conclusion

Having to receive or needing to draft a breach notification letter is never fun and is often the product of or creator of many sleepless nights. Remember a HIPAA notification is rarely the only notice you would need to provide in a large breach. The best way to deal with breach notification is to be ready for a breach and have a plan to minimize its blast radius. BizCom Global can be your partner in reducing your risk of pain before a breach begins. Call us today.

more tech thoughts