What is Considered a HIPAA Breach?

Published December 10, 2019 • 3 min read

A HIPAA Breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information,” according to the U.S. Department of Health and Human Services (HHS).  

In other words, a breach occurs when information is shared with entities who don’t have the authority to see it. This is a rather broad definition, and there are exceptions to this definition. Determining a breach mostly comes down to intent. Note that the entities mentioned in this article are service providers, health care providers, departments of health, and other organizations that are responsible for HIPAA privacy and HIPAA compliance.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a cybersecurity law put in place to protect personal health information (PHI) from exposure to unauthorized persons or entities. It’s a law meant to protect all medical records, patient records or PHI from exposure to unauthorized individuals. 

What is Not Considered a Breach? 

To understand better what we mean by this, we need to look at what is not considered to be a data breach. 

If your information is shared accidentally, then it is not considered a breach. For example, say an administrator emailed a person’s PHI to another person unintentionally. That email would not be considered a breach if the administrator can prove that it was accidental and it didn’t happen repeatedly. 

Basically, there are three exceptions to breaches:  

  1. If the unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
  2. If the disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both of these cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.  
  3. If the covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure was made would not have been able to retain the information.

If a breach occurs and it doesn’t fall under these exceptions, then it falls under the HIPAA Breach Notification Rule. The Breach Notification Rule spells out how entities are to be notified should a breach occur. It is one of the many HIPAA rules.  

Breach Notification Rule

The Breach Notification Rule was added to HIPAA in 2009 along with the Health Information Technology for Economic and Clinical Health Act (HITECH). 

HITECH was added to encourage all entities to further convert to electronic health records (EHR). Of course, it also outlined the security of such records be mandatory. 

The Breach Notification Rule states that HIPAA-covered entities and their business partners must notify all parties (the affected individuals, the business entities, the HHS secretary, and in big cases, the media) within an acceptable amount of time after the event occurs, but not more than 60 days. 

The notification needs to include information such as a description of the event, what types of PHI that were breached, what steps the individuals need to take to protect themselves, what the entity responsible for the breach is doing to prevent further breaches, and how to contact the entity should the individuals care to do so.  

The Final Omnibus Rule of 2013

The most recent addition to the HIPAA laws was the Final Omnibus Rule of 2013, which spells out in more detail the types of encryption needed if a breach were to occur. The data would be indecipherable, unreadable, and unusable without the proper authorization.  

Basically, the law made it clear what was required of entities in protecting PHI, as well as clarify the penalties for entities who were not doing what they needed to do to protect PHI.  

Keep in mind that HIPAA was made law in 1996, and it has taken over a decade for entities to come into compliance and be penalized for not complying. Now, an entity that does not implement safeguards for protecting PHI could face financial penalties, sanctions, potential loss of license, and even criminal proceedings. In 2019, especially compared to when HIPAA was first introduced in 1996, serious repercussions can occur if a breach occurs due to entity negligence. Risk assessments are also required of organizations to ensure they comply.

Related Content

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo