Breach Notification
Know what a breach is before you're dealing with one.
Overview
A HIPAA breach triggers legal obligations with hard deadlines. The difference between a managed incident and a regulatory enforcement action often comes down to whether the organisation knew the rules and acted on them quickly. Answer the five questions below as someone who may be involved in the initial response to a breach report.
Read before you answer
The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) requires covered entities to notify affected individuals, the Secretary of HHS, and in some cases the media when a breach of unsecured PHI occurs. A breach is defined as an impermissible use or disclosure of PHI that compromises the security or privacy of the information. When an impermissible use or disclosure occurs, HIPAA establishes a presumption that it is a breach — meaning the covered entity bears the burden of demonstrating, through a documented risk assessment, that there is a low probability that the PHI has been compromised.
The four-factor risk assessment evaluates: the nature and extent of the PHI involved (types of identifiers, likelihood of re-identification); who accessed or could have accessed the PHI (an internal employee who saw information by mistake is different from an external attacker); whether the PHI was actually acquired or viewed (a misdirected fax to a wrong physician's office that was returned unread is different from an email to a journalist); and the extent to which the risk has been mitigated (a lost laptop that was encrypted to NIST standards is not a breach, because the data was protected). The covered entity must document this assessment regardless of its conclusion. If the assessment concludes the probability of compromise is low, no notification is required but the incident must still be recorded.
When notification is required, individuals must be notified without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The notification must include: a brief description of the breach; the types of PHI involved; steps individuals should take to protect themselves; what the covered entity is doing to investigate and mitigate; and contact information. The HHS must be notified by the same 60-day deadline; for breaches affecting fewer than 500 residents of a state, covered entities may submit an annual log rather than individual notifications. When a breach affects 500 or more residents of a state or jurisdiction, the media must also be notified. Business associates must notify the covered entity without unreasonable delay and within 60 days of discovering a breach affecting the covered entity's PHI.