Breach notification

A breach is defined as the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which compromises the security or privacy of the protected health information.

If unsecured PHI is impermissibly acquired, used, or disclosed, a breach is presumed to have occurred unless the covered entity or business associate can demonstrate a low probability that the PHI has been compromised. Whether there is a “low probability” of compromise is determined by an assessment of at least four factors:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.

The following disclosures are specifically excluded from the definition of "breach":

• A person authorized to access PHI at a covered entity or business associate inadvertently discloses PHI to another person authorized to access PHI at the covered entity or business associate (or organized health care arrangement in which the covered entity participates). The information must not be further used or disclosed in a manner not permitted by HIPAA.
• A workforce member (or person acting under the authority of a covered entity or business associate) unintentionally acquires, accesses, or uses PHI. The acquisition, access, or use must have been made in good faith and within the scope of the individual’s authority. The information must not be further used or disclosed in a manner not permitted by HIPAA.
• The covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. 

PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals if it has been encrypted (in the case of electronic PHI) or destroyed.

• Encrypted. This means that the PHI has been converted to another, unrecognizable form that makes it unreadable for unauthorized users. The data can only be made readable through a confidential process or “key.” The following encryption processes have been tested by the National Institute of Standards and Technology (NIST) and meet this standard:

  • Valid encryption processes for data at rest that are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
  • Valid encryption processes for data in motion that comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated,
• Destroyed. This means that the media on which the PHI is stored or recorded has been rendered unreadable or irretrievable through one of the following methods: destroyed in one of the following ways:
  • Paper, film, or other hard copy media have been shredded, burned, pulped, or pulverized such that the PHI cannot be read, deciphered, or reconstructed.
    • Redaction is specifically excluded as a means of data destruction.
  • Electronic media have been cleared (media with non-sensitive data have been overwritten with software or hardware products), purged (media has been degaussed or exposed to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroyed (media have been disintegrated, pulverizd, melted, incinerated, or shredded), consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization.

Yes. The covered entity must document that the use or disclosure of the unsecured PHI did not constitute a breach and that notification was not required. This means that the covered entity must maintain documentation of its risk assessment demonstrating a low probability that the PHI has been compromised by the impermissible use or disclosure, or the application of any other exceptions to the definition of “breach.”  Even if a disclosure is not a breach reportable to the individual or HHS, the covered entity must still log the disclosure in your accounting of disclosures log. This disclosure log must include the date of the disclosure; the name and address (if known) of the entity who received the PHI; a brief description of the PHI disclosed; and a brief statement of the reason for the disclosure. 

Yes. Covered entities are required to notify HHS of all breaches of unsecured PHI, regardless of the number of individuals affected. Notification must be provided electronically by submitting a breach report form through the HHS website portal. The timing of the notification differs depending on how many individuals are affected, however.

• 500 or more individuals - For a breach affecting 500 or more individuals, the covered entity must notify HHS without unreasonable delay and in no case later than 60 days following the breach.
• Fewer than 500 individuals - For a breach affecting fewer than 500 individuals, the covered entity must maintain a log or other documentation of such breach and must notify HHS of the breach no later than 60 days after the end of the calendar year in which the breach is discovered

Covered entities must notify affected individuals without unreasonable delay and in no case later than 60 days following the discovery of the breach. The notice must be in writing and sent via first class mail (notice may be sent via email if the affected individual has agreed to receive such notices electronically). 

To the extent possible, the notice must include:

• A brief description of the breach
• A description of the types of information that were involved in the breach
• The steps affected individuals should take to protect themselves from potential harm
• A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
• The covered entity's contact information

HIPAA allows covered entities to provide substitute individual notice if they have insufficient or out-of-date contact information. The requirements of the substitute notice differ depending on the number of individuals for whom current contact information is missing.

• 10 or more individuals:  If there is insufficient or out-of-date contact information for 10 or more individuals, then the covered entity must either post notice on the home page of its web site for at least 90 days or publish the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must provide a toll-free phone number that individuals can call to find out if their information was involved in the breach. This number must remain active for at least 90 days.
• Fewer than 10 individuals: If there is insufficient or out-of-date contact information for fewer than 10 individuals, substitute notice may be provided by an alternative form of written notice, by telephone, or other means.  

Covered entities must notify the media of breaches involving more than 500 residents of a state or jurisdiction. Notice must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach, and can generally be done through a press release to appropriate media outlets. The notice must include the same information required for the individual notice.

Yes. Covered entities are responsible for notifying individuals if there has been a breach at or by a business associate. However, covered entities may delegate this responsibility to the business associate in their business associate agreements. In some cases, the business associate may be in a better position to provide notice to affected individuals. 

Covered entities are also required to mitigate, to the extent practicable, any harmful effects of security incidents or Privacy Rule violations that are known to the covered entity. 

Covered entities must have in place written policies and procedures regarding HIPAA violations and they must train their employees on these policies and procedures. If an employee violates these policies, the covered entity must impose appropriate sanctions.  Sanctions should be categorized according to the nature and severity of the violation. For example, accidental or unintentional violations that do not result in a reportable breach may warrant only a verbal reminder or additional HIPAA education/training, while unintentional violations that do result in a reportable breach may warrant a written reprimand or even unpaid leave. Intentional violations are more serious and may warrant termination.