“There’s been a data breach.”

Words you never want to hear, especially as a leader in health care. A breach of unsecured protected health information (PHI) can mean HIPAA penalties, lawsuits, and a massive, organization-wide headache.

Understanding the HIPAA Breach Notification Rule could save your organization time and money while also safeguarding your reputation.

Let’s discuss what the rule means and how to comply with it.

What is the HIPAA Breach Notification Rule?

Illustration depicting how the HIPAA Breach Notification Rule works in three steps

The HIPAA Breach Notification Rule requires organizations to notify affected individuals and the U.S. Department of Health and Human Services (HHS) when unsecured PHI has been breached.

The HHS’s Office for Civil Rights (OCR) investigates violations to the rule but tends to prioritize breach cases involving 500+ patient records. 

What are the HIPAA Breach Notification requirements?

Illustration depicting what must be done in the event of a PHI breach of under 500 people and over 500 people.

We’ve covered your general responsibility to the HIPAA Breach Notification Rule, but what about the technicalities? In this section, we’ll help you feel confident about complying with the rule in the event that your organization faces a PHI breach.

Timeline

First, when must a breach be reported? To avoid a fine from the OCR, healthcare providers must send notifications to affected individuals within 60 days of discovery of the breach.

That said, the rule specifies that breached organizations shouldn’t have an unreasonable delay in notifying affected parties. It’s recommended to notify those affected as quickly as possible — ideally, as soon as the discovery of a breach has been confirmed.

Delivery and content of the notification

Notifications of a breach of unsecured PHI must be sent to each impacted individual either in a written notice by first-class mail, or via email if the individual has consented to be contacted via email.

If the contact information of over 10 affected individuals is outdated, the covered entity must publish the notice on its website or broadcast the notice where each individual resides for at least 90 days.

The notification must explain:

  • What happened
  • What information was compromised
  • How the entity is responding to the breach
  • How it will prevent breaches in the future

It should also provide advice regarding how affected individuals can protect themselves from harm that may result from the breach, such as identity theft.

Notification of HHS and media notice

Statistic covering how 3,700 major health care data breaches were reported between 2009 and 2020 along with an illustration of a broken lock.

In addition to notifying affected parties of a breach, covered entities are required to notify HHS through a breach report. The timeline for notifying HHS varies based on the number of individuals affected.

If the breach affected fewer than 500 people, HHS must be notified on an annual basis — specifically, within 60 calendar days of the end of the year in which the breach was identified.

However, if the breach affected more than 500 individuals, then HHS must be notified within 60 days of the breach. The covered entity must also notify prominent media outlets including local print and broadcast media outlets.

Notification by business associates

In the event that a business associate is responsible for an unsecured PHI breach, the associate plays an active role in helping the covered entity execute the Breach Notification Rule. Within 60 days of discovering the breach, the associate must:

  • Provide identification of each affected individual for the covered entity
  • Communicate as many details as possible about the breach to the covered entity

From there, the covered entity is responsible for complying with the Breach Notification Rule — notifying affected individuals, notifying HSS, and potentially contacting the media.

What is considered a breach?

The HHS defines a breach as the impermissible use, access, or disclosure of unsecured PHI under the Privacy Rule that compromises the security and privacy of that data.

The HIPAA Privacy Rule defines PHI using 18 identifiers:

  • Names
  • Dates, except year
  • Telephone numbers
  • Geographic data
  • Fax numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers, including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • IP addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e., retinal scan, fingerprints)
  • Any unique identifying number or code

Videos and images containing PHI are also protected by the HIPAA Privacy Rule, as is PHI that’s stored electronically. 

What constitutes unsecured PHI?

The rule only applies when unsecured PHI is breached. If your data is protected by strict security measures and still gets compromised, the rule does not apply to you. If it isn’t properly secured when it gets compromised, it’s considered unsecured.

For example, imagine a doctor mistakenly leaves a patient’s printed records on a table in a common area — this PHI is unsecured. After returning to pick them up, they aren’t there. If the records were not taken by authorized personnel, this constitutes a breach and the Breach Notification Rule applies.

The best way to avoid a violation is to confirm that you and your business associates are securing PHI through the use of data protection measures like encryption and routine PHI destruction. It’s also important to train employees in PHI management for moments when documents can’t be totally secured, such as file transfers between authorized personnel.

Failing to comply with the Breach Notification Rule after a breach of unsecured PHI can have some pretty severe consequences. Take Illinois healthcare network Presence Health, for example. In 2013, operating room schedules filled with sensitive data on 836 patients went missing.

Presence Health failed to notify HHS of the breach until over a month after the HIPAA Breach Notification Rule’s 60-day deadline, violating the rule. It ended up settling the violation for $475,000 in 2017.

Image including PHI breach terminology, which includes: breach, breach exceptions, low probability of compromise, presumption of breach, and unsecured PHI.

The “low probability of compromise” condition

Any unauthorized use or disclosure of PHI is considered a breach unless it can be proven that there’s a “low probability” that the PHI has been compromised based on a proper risk assessment. The HHS specifies four factors that must be evaluated to determine this:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
  2. The unauthorized person who used the PHI or to whom the disclosure was made
  3. Whether the PHI was actually acquired or viewed
  4. The extent to which the risk to the PHI has been mitigated

This assessment should only be conducted if the HIPAA-covered entity is unsure whether PHI has been compromised. If a breach seems obvious, the above factors don’t need to be evaluated and all relevant parties should be notified.

What are the breach exceptions?

There are a few scenarios that technically fall under the definition of a breach, yet HHS extends grace to them. The three breach exceptions are:

  1. Unintentional access or use of PHI by an employee, made in good faith and within the scope of their authority
  2. Accidental disclosure of PHI between authorized persons
  3. The organization confidently believes that the person who obtained or accessed the PHI will not retain or compromise the data

If any of the three exceptions are true, then PHI is not considered “breached” and the covered entity isn’t required to notify affected parties or HHS under the Breach Notification Rule.

How Secureframe can help you stay HIPAA compliant and avoid rule violations

Secureframe takes the stress out of keeping your organization’s PHI safe. By training employees on HIPAA requirements and best practices, keeping track of vendors and associates that have access to PHI, and monitoring your individual PHI safeguards, you can be confident that your breach risk is at a minimum.

Learn more about HIPAA compliance automation with Secureframe today.

FAQs

What is the Breach Notification Rule for HIPAA?

The Breach Notification Rule, under the Health Insurance Portability and Accountability Act (HIPAA), mandates that covered entities and their business associates must notify affected individuals, the Secretary of Health and Human Services (HHS), and in certain cases, the media, following the discovery of a breach of unsecured PHI. A breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

What is the definition of a breach under HIPAA?

A breach is an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of unsecured protected health information (PHI). Unsecured means the PHI was not rendered unusable, unreadable, or indecipherable to unauthorized persons.

What is not considered a HIPAA breach?

There are three exceptions to the "breach" definition:

1. Unintentional acquisition, access, or use of PHI by a member of the workforce or an individual acting on behalf of a covered entity or business associate, provided that such actions were carried out in good faith and within the scope of authority

2. Inadvertent disclosure by a person authorized to access PHI at a covered entity or business associate, to another person with similar authorization within the same covered entity, business associate, or organized healthcare arrangement

3. If the covered entity or business associate believes that the unauthorized recipient of the disclosed PHI would not have been able to retain the information

When must covered entities provide notification of a breach to the media?

Following a breach of unsecured protected health information affecting more than 500 residents of a State or jurisdiction, covered entities must provide notice to prominent media outlets serving that State or jurisdiction. — in addition to notifying the affected individuals and the Secretary of HHS.

What are the regulatory requirements for notifications for data breaches?

The regulatory requirements for notifications in the event of a data breach under the HIPAA Breach Notification Rule include:

  • Notification to Individuals: Covered entities must promptly notify the affected individuals of a breach, no later than 60 days from the discovery of the breach. The notifications must include, to the extent possible, a description of the breach, the types of information involved, the steps individuals should take to protect themselves, what the covered entity is doing to investigate and mitigate the breach, and contact information for the covered entity.
  • Notification to the Secretary of HHS: Covered entities must notify the Secretary of HHS of all breaches of unsecured PHI. Breaches affecting 500 or more individuals must be reported without unreasonable delay and in no case later than 60 days from the breach discovery. Breaches affecting fewer than 500 individuals may be reported annually.
  • Notification to the Media: In cases where a breach affects more than 500 residents of a state or jurisdiction, covered entities must also notify prominent media outlets within that state or jurisdiction, no later than 60 days after the discovery of the breach.
  • Unsecured PHI: The notification requirements apply specifically to unsecured PHI, which is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS.