regulation of Medicine

toolkit

The HIPAA Toolkit

Breach notification

What is a “breach”?

A breach is defined as the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which compromises the security or privacy of the protected health information.

If unsecured PHI is impermissibly acquired, used, or disclosed, a breach is presumed to have occurred unless the covered entity or business associate can demonstrate a low probability that the PHI has been compromised. Whether there is a “low probability” of compromise is determined by an assessment of at least four factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

The following disclosures are specifically excluded from the definition of "breach":

  • A person authorized to access PHI at a covered entity or business associate inadvertently discloses PHI to another person authorized to access PHI at the covered entity or business associate (or organized health care arrangement in which the covered entity participates). The information must not be further used or disclosed in a manner not permitted by HIPAA.
  • A workforce member (or person acting under the authority of a covered entity or business associate) unintentionally acquires, accesses, or uses PHI. The acquisition, access, or use must have been made in good faith and within the scope of the individual’s authority. The information must not be further used or disclosed in a manner not permitted by HIPAA.
  • The covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.

What is "unsecured" PHI for purposes of determining whether there has been a reportable breach?

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. 

PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals if it has been encrypted (in the case of electronic PHI) or destroyed.

What if a risk assessment reveals a low probability of compromise? Does the covered entity have to do anything else?

Yes. The covered entity must document that the use or disclosure of the unsecured PHI did not constitute a breach and that notification was not required. This means that the covered entity must maintain documentation of its risk assessment demonstrating a low probability that the PHI has been compromised by the impermissible use or disclosure, or the application of any other exceptions to the definition of “breach.”  Even if a disclosure is not a breach reportable to the individual or HHS, the covered entity must still log the disclosure in your accounting of disclosures log. This disclosure log must include the date of the disclosure; the name and address (if known) of the entity who received the PHI; a brief description of the PHI disclosed; and a brief statement of the reason for the disclosure. 

Does a covered entity have to report to the government breaches involving the PHI of only one individual?

Yes. Covered entities are required to notify HHS of all breaches of unsecured PHI, regardless of the number of individuals affected. Notification must be provided electronically by submitting a breach report form through the HHS website portal. The timing of the notification differs depending on how many individuals are affected, however.

  • 500 or more individuals - For a breach affecting 500 or more individuals, the covered entity must notify HHS without unreasonable delay and in no case later than 60 days following the breach.
  • Fewer than 500 individuals - For a breach affecting fewer than 500 individuals, the covered entity must maintain a log or other documentation of such breach and must notify HHS of the breach no later than 60 days after the end of the calendar year in which the breach is discovered

What is the time frame for notifying affected individuals of a breach?

Covered entities must notify affected individuals without unreasonable delay and in no case later than 60 days following the discovery of the breach. The notice must be in writing and sent via first class mail (notice may be sent via email if the affected individual has agreed to receive such notices electronically). 

What must the notice include?

To the extent possible, the notice must include:

  • A brief description of the breach
  • A description of the types of information that were involved in the breach
  • The steps affected individuals should take to protect themselves from potential harm
  • A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
  • The covered entity's contact information

What if a covered entity does not have contact information for some or all of the affected individuals?

HIPAA allows covered entities to provide substitute individual notice if they have insufficient or out-of-date contact information. The requirements of the substitute notice differ depending on the number of individuals for whom current contact information is missing.

  • 10 or more individuals:  If there is insufficient or out-of-date contact information for 10 or more individuals, then the covered entity must either post notice on the home page of its web site for at least 90 days or publish the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must provide a toll-free phone number that individuals can call to find out if their information was involved in the breach. This number must remain active for at least 90 days.
  • Fewer than 10 individuals: If there is insufficient or out-of-date contact information for fewer than 10 individuals, substitute notice may be provided by an alternative form of written notice, by telephone, or other means.  

When must the media be notified?

Covered entities must notify the media of breaches involving more than 500 residents of a state or jurisdiction. Notice must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach, and can generally be done through a press release to appropriate media outlets. The notice must include the same information required for the individual notice.

Are covered entities responsible for reporting breaches that occur at a business associate?

Yes. Covered entities are responsible for notifying individuals if there has been a breach at or by a business associate. However, covered entities may delegate this responsibility to the business associate in their business associate agreements. In some cases, the business associate may be in a better position to provide notice to affected individuals. 

Covered entities are also required to mitigate, to the extent practicable, any harmful effects of security incidents or Privacy Rule violations that are known to the covered entity. 

How should a covered entity handle the employee(s) who made the improper disclosure or caused the breach?

Covered entities must have in place written policies and procedures regarding HIPAA violations and they must train their employees on these policies and procedures. If an employee violates these policies, the covered entity must impose appropriate sanctions.  Sanctions should be categorized according to the nature and severity of the violation. For example, accidental or unintentional violations that do not result in a reportable breach may warrant only a verbal reminder or additional HIPAA education/training, while unintentional violations that do result in a reportable breach may warrant a written reprimand or even unpaid leave. Intentional violations are more serious and may warrant termination.

Disclaimer

The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.