HIPAA: Breach Notification
Breach Notification Rule [45 CFR 164.400-414]
Rule: Following a breach of unsecured PHI, covered entities must notify affected individuals, HHS, and in some cases the media, within specified timeframes.
What is a Breach?
Breach: Acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI.
Breach Risk Assessment
Unless an exception applies, assume a breach requires notification unless a risk assessment shows low probability of compromise based on:
| Factor | Assessment |
|---|---|
| Nature and extent of PHI | Types of identifiers, sensitivity |
| Unauthorized person | Who received or accessed PHI |
| PHI actually acquired/viewed | Evidence of actual access |
| Risk mitigation | Extent risk has been reduced |
Exceptions (Not a Breach)
| Exception | Description |
|---|---|
| Unintentional acquisition | Good faith, within scope of authority, no further use |
| Inadvertent disclosure | Between authorized persons, same organization |
| Good faith belief | Recipient could not have retained information |
Notification Requirements
Individual Notice [§164.404]
| Requirement | Detail |
|---|---|
| Timing | Without unreasonable delay, within 60 days of discovery |
| Method | Written notice, first-class mail (or email if authorized) |
| Content | Description of breach, PHI types, steps individuals should take, what entity is doing, contact information |
Media Notice [§164.406]
| Requirement | Detail |
|---|---|
| Trigger | Breach affecting 500+ residents of a state |
| Timing | Within 60 days |
| Method | Prominent media outlets in affected area |
HHS Notice [§164.408]
| Breach Size | Timing |
|---|---|
| 500+ individuals | Within 60 days of discovery |
| Under 500 | Annual log, within 60 days of year end |
Business Associate Obligations
Business associates must notify covered entity of breaches:
- Without unreasonable delay
- No later than 60 days after discovery
- Provide information needed for covered entity notifications
Unsecured PHI
Breach notification only applies to “unsecured” PHI. PHI is secured if:
- Encrypted per HHS guidance (NIST standards)
- Destroyed (paper shredded, media sanitized)
Breach Discovery
Breach is discovered on the first day:
- It is known, OR
- Reasonably should have been known (exercising reasonable diligence)
Knowledge of any workforce member = knowledge of covered entity.
Citation
45 CFR Part 164 Subpart D — Notification in the Case of Breach