How Do HIPAA Breach Reporting Requirements Affect State Reporting?

How Do HIPAA Breach Reporting Requirements Affect State Reporting?

by Alex Hirsch (SU)

For those of us involved in the world of HIPAA compliance, we are certainly aware by now that the Breach Notification Rule requires Covered Entities (CE) and Business Associates (BA) to notify affected parties of any breach that has occurred to their protected health information. Those notification requirements and timelines are based on the “500 rule” of individuals affected, and there are different rules based on whether more or fewer than 500 were affected by the breach.

But another important factor to consider, besides the Federal requirement, is what do State breach reporting laws require? This is a topic that has been getting a lot of attention lately.

According to the National Conference of State Legislatures (NCSL), all 50 U.S. states and its territories have enacted laws that require both private and public entities to notify anyone who has been affected by a security breach of their personally identifiable information.

The NCSL website explains that these laws specify exactly who must comply with the law, what constitutes “personal information,” what constitutes a breach, requirements for notice (e.g., timing or method of notice, who must be notified), and any exemptions that may apply.

HIPAA Data Breach Reporting at the State Level

At the State level, there exists a somewhat different landscape of potential pitfalls compared to the compromise of any of the 18 HIPAA Identifiers. Also, State reporting is not in lieu of the Federal reporting but in conjunction. Both Federal HIPAA and State breach reporting requirements must be adhered to.

It is important to remember that State reporting timelines may be shorter than what is mandated by the HIPAA Breach Notification Rule.

As an example, the State of California Civil Code states that for medical information, “Affected patients and the California Department of Health Services must be notified no later than 15 business days after the unauthorized access, use, or disclosure has been detected by the licensee.” There is an exception to delay the notification for law enforcement purposes in accordance with the Code.

When Business Associates Are Breached

Further complications to the breach notification requirements kick in when CEs engage the services of vendors that are designated BAs. We know about the requirement to execute Business Associate Agreements (BAA) when these vendors have accesses to a Covered Entity’s ePHI/PHI. What happens when CEs have hundreds of BAs and then some of those BAs have subcontractor BAs? How does an organization keep track of all the timelines in reporting? Oftentimes, this is done with a time-consuming manual review, causing organizations to spend excessive funds on complying – or, more commonly, not doing this exercise at all.

Organizations commonly try and use ‘standard templates’ to standardize timelines, but reporting timeframes are often the center of agreement negotiations and are often changed.

The 500 Rule

According to the Breach Rule, if a breach affects 500 or more people, then the entity that is responsible for the breach must notify the Secretary of the applicable governmental entity as soon as possible, and no later than 60 days after the breach occurred.

If the breach affects fewer than 500 people, however, then the responsible entity is only required to notify the Secretary annually, and no more than 60 days past the affected calendar year. Therefore, if a CE gives a BA 60 days to make the report but the breach affects 500 or more individuals, that CE will actually fail to meet the reporting deadline.

Managing this process of timeline reporting is critical, especially with downstream BA vendors.

 “Understanding reporting time frames, both contractual and regulatory, is critical for healthcare organizations. But many compliance teams struggle to keep up with changing laws and the growth of their organizations as it relates to obligations to regulators and business partners,” says Jason Silverstein, COO, PHIflow. “Rather than depending on manual document review (which is expensive and time-consuming) to understand reporting timeframes, today’s leading compliance and privacy departments leverage innovative new technologies to automate many of the mundane tasks previously associated with antiquated compliance processes.”

A summary of U.S. State Data Breach Notification Statutes per state provided by NCSL can be accessed here:

Who Can Help with HIPAA Compliance?

If you would like to discuss how Colington Consulting can help your organization meet these ever-changing governmental standards, fill out our online form now or call us at (800) 733-6379 today.