The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). The rule defines both what constitutes a breach, as well as the exceptions to that general definition.
What is the Definition of a “Breach”?
Generally, a breach is an impermissible (unauthorized) use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. This demonstration of a low probability of compromise must be based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
What is a “Discovered Breach” under the HIPAA Breach Notification Rule?
Under the HIPAA Breach Notification Rule, a breach is regarded by the law as “discovered” by a covered entity, as of:
- The first day on which the breach is known to the covered entity, or
- The first day on which the breach would have been known to the covered entity, in its exercise of reasonable diligence.
- In some instances, even if a covered entity exercises reasonable diligence, it may not discover a breach right away.
The breach discovery date is of particular significance under the HIPAA Breach Notification Rule. The period of time within which an entity must notify individuals of a breach runs from (i.e., starts with) the discovery date.
Under the HIPAA Breach Notification Rule, What is Not a Breach?
There are three exceptions to the definition of “breach.”
The first exception applies to:
- The unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity (CE) or business associate (BA), if
- Such acquisition, access, or use was made in good faith, and
- The acquisition, access, or use was within the scope of authority of the workforce member or person acting under the authority of the CE or BA.
The second exception applies to:
- The inadvertent disclosure, of
- Protected health information, by
- A person authorized to access the protected health information, at
- A covered entity or business associate, to
- Another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.
Under both exceptions, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
The third exception applies if:
- The covered entity or business associate has a good faith belief, that
- The unauthorized person to whom the impermissible disclosure was made, would not
- Have been able to retain the information.
Note the presence of the word “unsecured.” Unsecured protected health information is defined under the HIPAA regulations as protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of the Department of Health and Human Services (HHS) in guidance.