HIPAA Regulations: Notification in the Case of Breach: Content of Notification to Individuals - § 164.404(c)
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information
HHS Regulations |
(c) Implementation specifications: Content of notification—(1) Elements. The notification required by paragraph (a) of this section shall include, to the extent possible:
(A) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
(B) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(C) Any steps individuals should take to protect themselves from potential harm resulting from the breach;
(D) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
(E) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
(2) Plain language requirement. The notification required by paragraph (a) of this section shall be written in plain language.
HHS Discussion and Commentary From the January 2013 Amendments Notification in the Case of Breach: Content of Notification to Individuals |
Content of the Notification
Section 13402(f) of the HITECH Act set forth the content requirements for the breach notice to the individual. Section 164.404(c) of the interim final rule incorporated the statutory elements, requiring the following information be included in the notices, to the extent possible: (1) a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (2) a description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (3) any steps individuals should take to protect themselves from potential harm resulting from the breach; (4) a brief description of what the covered entity involved is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches; and (5) contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
The interim final rule added the term “diagnosis,” to the parenthetical listing of examples of types of protected health information, which was not in the statute, to make clear that, where appropriate, a covered entity may need to indicate in the notification to the individual whether and what types of treatment information were involved in a breach. In addition, with respect to a covered entity’s mitigation, the interim final rule replaced the statutory term “mitigate losses” with “mitigate harm to individuals” to make clear that the notification should describe the steps the covered entity is taking to mitigate potential harm to individuals resulting from the breach and that such harm is not limited to economic loss.
To address the readability and accessibility of the notice, the interim final rule made a number of clarifications. First, the Department included in the interim final rule a requirement that the breach notices be written in plain language so that individuals will be able to understand them more easily, which means the notice should be written at an appropriate reading level, using clear language and syntax, and not include any extraneous material that might diminish the message it is trying to convey.
Second, the interim final rule explained that some covered entities may have obligations under other laws with respect to their communication with affected individuals. For example, to the extent a covered entity is obligated to comply with Title VI of the Civil Rights Act of 1964, the covered entity must take reasonable steps to ensure meaningful access for Limited English Proficient persons to the services of the covered entity, which could include translating the notice into frequently encountered languages. Similarly, to the extent that a covered entity is required to comply with Section 504 of the Rehabilitation Act of 1973 or the Americans with Disabilities Act of 1990, the covered entity has an obligation to take steps that may be necessary to ensure effective communication with individuals with disabilities, which could include making the notice available in alternate formats, such as Braille, large print, or audio.
Overview of Public Comments
Several commenters stated that the content requirements for breach notification were too vague. Some commenters asked that we provide templates or sample notices to be used by covered entities. Other commenters asked for more specific guidance about particular required content elements of the notice, such as what information should be provided to individuals about a covered entity’s or business associate’s mitigation efforts and regarding any employee sanctions, particularly if a company has policies that require certain employment actions be kept confidential. It was also suggested that we publish a list of actions to be included in the notices based on the type of breach with respect to the steps individuals should take to protect themselves from harm.
Some commenters also asked that the Department clarify that the requirement to include “a brief description of what happened” would not require the covered entity or business associate to describe how the breach occurred such that it would create a roadmap for future breaches.
Final Rule
We retain § 164.404(c) in this final rule without modification. The content requirements in the Rule generally mirror the content requirements in the statute and each element is an important component of the notice to ensure individuals receive the information they need to protect themselves to the extent possible from the consequences of a breach and to learn what is being done to mitigate the breach and prevent future breaches.
At the same time, the content provisions are sufficiently flexible to allow covered entities and business associates to tailor the breach notices based on the circumstances surrounding the breach and of the entity. In our experience in administering the Rule since 2009, the Rule provides sufficient flexibility to describe to the individual the circumstances surrounding the breach in a more general manner that still provides the individual with pertinent information but that does not provide a roadmap to third parties for future breaches. For example, the notice need not explain the exact type of vulnerability in the security of a covered entity’s electronic records system that led to unauthorized access and how that vulnerability was exploited.
Similarly, a covered entity has flexibility in describing what the covered entity is doing in response to a breach. Where employee sanctions are relevant based on the circumstances of the breach, a covered entity may determine that it wants to describe the sanctions imposed more generally and nothing in the Rule would require that the notice include the names of the employees involved. For example, a covered entity may want to indicate generally that the employees involved have been appropriately disciplined, particularly if multiple employees received varying levels of sanctions based on their degrees of involvement in the breach. In other cases, it may benefit the covered entity to be more specific so as to better assure individuals that the entity is appropriately addressing the situation, such as indicating that an employee who improperly accessed and sold patient information was promptly terminated.
With respect to templates, examples, or other guidance, the Department anticipates providing additional guidance in the future.
HHS Description and Commentary From the Interim Breach Rule Notification in the Case of Breach: Content of Notification to Individuals |
Section 13402(f) of the Act sets forth the content requirements for the breach notice to the individual. Section 164.404(c) of the interim final rule implements § 13402(f) of the Act and requires the notification to include, to the extent possible, the following elements: (1) a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (2) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (3) any steps individuals should take to protect themselves from potential harm resulting from the breach; (4) a brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and (5) contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an e-mail address, web site, or postal address.
With respect to indicating in the notification the types of protected health information involved in a breach, we emphasize that this provision requires covered entities to describe only the types of information involved. Thus, covered entities should not include a listing of the actual protected health information that was breached (e.g., list in the notice the individual’s social security number or credit card number that was breached) and generally should avoid including any sensitive information in the notification itself.
Further, in the interim final rule at § 164.404(c)(1)(B), we add the term “diagnosis” in the parenthetical listing of examples of types of protected health information to make clear that, where appropriate, a covered entity may need to indicate in the notification to the individual whether and what types of treatment information were involved in a breach. In addition, at § 164.404(c)(1)(D), we replace the statutory term “mitigate losses” with “mitigate harm to the individual” to make clear that the notification should describe the steps the covered entity is taking to mitigate potential harm to the individual resulting from the breach and that such harm is not limited to economic loss.
Under these content requirements, for example, and depending on the circumstances, the notice to the individual may include recommendations that the individual contact his or her credit card company and information about how to contact the credit bureaus and obtain credit monitoring services (if credit card information was breached); information about steps the covered entity is taking to retrieve the breached information, such as filing a police report (if a suspected theft of unsecured protected health information occurred); information about steps the covered entity is taking to improve security to prevent future similar breaches; and information about sanctions the covered entity imposed on workforce members involved in the breach.
Some commenters recommended that we impose a page limitation on the length of the notice (e.g., one-page in length) and ensure the content of the notice is nontechnical and non-complex so individuals can easily understand the information being provided. We agree that it is important for individuals to be able to understand the information being provided to them in the breach notifications and thus, at § 164.404(c)(2) of the interim final rule, include a requirement that such notifications be written in plain language. To satisfy this requirement, the covered entity should write the notice at an appropriate reading level, using clear language and syntax, and not include any extraneous material that might diminish the message it is trying to convey. We do not impose a page limitation, however, so as not to constrain covered entities in including in the notifications the information they believe could be helpful to individuals.
Further, we note that some covered entities may have obligations under other laws with respect to their communication with affected individuals. For example, to the extent a covered entity is obligated to comply with Title VI of the Civil Rights Act of 1964, the covered entity must take reasonable steps to ensure meaningful access for Limited English Proficient persons to the services of the covered entity, which could include translating the notice into frequently encountered languages. Similarly, to the extent that a covered entity is obligated to comply with Section 504 of the Rehabilitation Act of 1973 or the Americans with Disabilities Act of 1990, the covered entity has an obligation to take steps that may be necessary to ensure effective communication with individuals with disabilities, which could include making the notice available in alternate formats, such as Braille, large print, or audio.