What is the HIPAA Breach Notification Rule?Published December 10, 2019 • 2 min read
The HIPAA (Health Insurance Portability and Accountability Act) Breach Notification Rule mandates that covered entities and their business associates notify patients and HHS (U.S. Department of Health & Human Services) following a breach of the individuals’ unsecured protected health information (PHI).
Similar breach notification requirements that the Federal Trade Commissions implements and enforces apply to vendors of personal health records and their third-party service providers under the HITECH (Health Information Technology for Economic and Clinical Health) Act.
Under the HIPAA Privacy Rule, a breach is an impermissible use or disclosure of unsecured PHI (for example, unencrypted PHI) that compromises the security or privacy of the protected health information.
HIPAA only requires notifications of breaches for PHI that isn’t secured. That means covered entities and their business associates should use the appropriate encryption and destruction techniques to ensure that PHI is unusable, unreadable, or indecipherable by an unauthorized person.
Covered entities include health plans, health care providers, and health care clearinghouses. A business associate is any company or individual—other than a workforce member of a covered entity—that does work for a covered entity.
An impermissible use or disclosure of PHI is considered a breach unless the covered entity or business associate can show that there’s a low probability the PHI has been compromised based on a risk assessment of certain factors, including:
- The nature and extent of the PHI, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated.
Once a covered entity knows or should have known that a breach of PHI occurred (referred to as the “date of discovery”), it is required to notify the affected individuals, HHS, and/or the media.
The covered entity has to do this “without unreasonable delay” or up to 60 calendar days after it discovered the breach. That applies even if the organization wasn’t sure the PHI had been compromised at the time it discovered the breach.
If the breach involves the unsecured PHI of over 500 people, a covered entity must notify a major print or broadcast media outlet in the state or jurisdiction where the breach occurred, and notify HHS.
The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. The OCR may issue civil monetary penalties for violations of the rules. In some cases, the U.S. Department of Justice may impose criminal penalties. The OCR also posts the names of entities with breaches involving more than 500 people on its “wall of shame.”
For breaches involving fewer than 500 people, a covered entity can keep a log of the relevant information and notify HHS within 60 days after the end of the calendar year via the HHS website.
The covered entity and its business associates must also make any required reports available to HHS and the affected individuals. Notification to individuals must be sent via first class mail or email if the individuals have agreed to accept notices electronically.
However, if a covered entity doesn’t have contact information for 10 or more individuals, it must either post a notice on the homepage of its website or make it available on major print or broadcast media where the affected individuals likely live.