HIPAA Breach Notification
The HIPAA Breach Notification Rule requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media, when unsecured protected health information is breached. A breach is the acquisition, access, use, or disclosure of PHI in a way not permitted by the Privacy Rule that compromises the security or privacy of the PHI.
Key Points
Notification to individuals must happen within 60 days of discovering the breach
Breaches affecting 500+ individuals in a state require media notification
Breaches affecting 500+ individuals must be reported to HHS immediately; smaller breaches reported annually
A risk assessment using four factors determines whether notification is required
PHI that is encrypted per NIST standards is considered 'secured' and not subject to breach notification
HHS publishes all breaches affecting 500+ on the 'Wall of Shame' (breach portal)
Key Areas
Breach Definition
What constitutes a breach vs. permitted disclosure
Notification Requirements
Who to notify, when, and what to include
Risk Assessment
Four-factor test for determining breach notification
Key Provisions
Definitions (Breach)
Defines what constitutes a breach and the three exceptions: unintentional access by workforce, inadvertent disclosure between authorized persons, and good-faith belief the recipient cannot retain the information.
Notification to Individuals
Content requirements (what happened, what data, what you're doing about it, what they should do) and timing (within 60 days of discovery, not occurrence).
Notification to Media
Required when 500+ residents of a single state or jurisdiction are affected. Must be provided to prominent media outlets.
Notification to HHS
500+ individual breaches: notify HHS contemporaneously. Under 500: annual log submitted within 60 days of calendar year end.