Risk Management

Breach Notification: How OMIC Can Help You

Kimberly Wynkoop, OMIC Legal Counsel

Digest, V23 N3 2013

As explained in the lead article (HIPAA Omnibus Final Rule What To Do), HIPAA requires that covered entities (“CEs”) notify individuals whose unsecured protected health information (“PHI”) has been impermissibly accessed, acquired, used, or disclosed, compromising the security or privacy of the PHI. Such notice must be given unless the CE can show there is a “low probability” that PHI has actually been compromised. If notification is required, HIPAA sets forth the manner and timing for doing so. This process can be daunting and expensive. To assist our insureds, OMIC’s policy includes an additional benefit: Security and Privacy Breach Response Costs, Notification Expense, and Support and Credit Monitoring Expense Coverage. This article will explain ophthalmologists’ breach response and notification responsibilities and the assistance OMIC’s benefit provides.

Notice to individuals

The CE should have a standard breach notification letter written in plain language that includes all of the HIPAA required elements (see OMIC’s sample at http://www.omic.com/hipaahitech-resources/). The CE must modify this letter and send it out to all affected individuals. This letter should be sent by first-class mail to the last known address of the individual or, if the individual has agreed to electronic notice, by email. If there is insufficient or out-of-date contact information that precludes mail or email notice, a substitute form of notice must be provided. For fewer than 10 individuals, the substitute notice may be provided by an alternative form of written notice, by telephone, or by other means. For 10 or more individuals, the substitute notice must be in the form of either a conspicuous posting for 90 days on the CE’s website, or a conspicuous notice in major print or broadcast media where the affected individuals likely reside. The notice must include a toll-free number that remains active for at least 90 days where an individual can learn whether his or her PHI was included in the breach. Notice to affected individuals must be made without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach. If the CE determines that notification requires urgency because of possible imminent misuse of unsecured PHI, notification may be provided by telephone or other means, as appropriate, in addition to the methods outlined above. It is the responsibility of the CE to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of any delay.

Notice to HHS

In the event a breach of unsecured PHI affects 500 or more individuals, HHS must be notified at the same time notice is made to the affected individuals, in the matter specified on the HHS website. If fewer than 500 of the CE’s patients are affected, the CE must maintain a log of the breaches to be submitted annually to the Secretary of HHS no later than 60 days after the end of each calendar year.

Notice to the media

In the event the breach affects more than 500 residents of a state, prominent media outlets serving the state and regional area must be notified without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach. The notice must be provided in the form of a press release. If a law enforcement official states to the CE that notice would impede a criminal investigation or cause damage to national security, the CE must delay the notice for the time period specified by the official in writing, or, if not in writing, no longer than 30 days from the date of the oral statement. This applies to notices made to individuals, the media, and HHS.

OMIC’s coverage

In response to a security or privacy breach, OMIC will pay for the employment of a public relations consultant to avert damage to the reputation of an insured resulting from an unexpected report about the breach through any media channel if that report threatens to damage an insured’s reputation. OMIC will also pay the expense to comply with governmental privacy legislation mandating notification to affected individuals, including legal expenses, computer forensic fees, public relations expenses, postage expenses, and related advertising expenses. OMIC also pays the expenses for the provision of customer support in the event of a privacy breach, including credit file monitoring services and identity theft assistance for up to 12 months. OMIC must give prior written consent for any of these expenses to be paid. The maximum amount OMIC will pay is $50,000. If you have questions about these policy benefits, please call OMIC’s Underwriting Department at 800.562.6642, ext. 639. If you need to take advantage of this benefit, contact OMIC’s Claims Department at ext. 629.

Breach Letter: Required Components

• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.

• A description of the types of unsecured PHI that were involved in the breach (e.g. full name, SSN, DOB, address, account number, diagnosis).

• Any steps the individuals should take to protect themselves from potential harm resulting from the breach.

• A brief description of what the CE is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches.

• Contact procedures for affected individuals, including a toll-free number, email address, website, or postal address.

Please refer to OMIC's Copyright and Disclaimer regarding the contents on this website

Leave a comment

Six reasons OMIC is the best choice for ophthalmologists in America.

#2. Leader in the industry.

A-rated by AM Best, OMIC is ranked #1 among 50 malpractice insurance companies in America for financial stability. No other carrier has matched OMIC's consistent financial performance with regard to both combined and operating ratios, the two most relevant financial measurements for an insurance carrier.