HIPAA Breach Notification Rule: Explanation and Guidance

[45 CFR §§ 164.400-414]


Scope

The HIPAA Breach Notification Rule requires HIPAA Covered Entities and their Business Associates to provide notification following a breach of Unsecured Protected Health Information (PHI).


Specific Definitions

  • Breach is an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the PHI.
  • Breach Exclusions:
    • Any unintentional access or use of PHI by a Covered Component of the NIU Hybrid Covered Entity, including a Business Associate, if such access or use was made in good faith and within the scope of work and does not result in further inappropriate use or disclosure.
    • Any inadvertent disclosure by a person who is authorized to access PHI controlled by a Covered Component of the NIU Hybrid Covered Entity to another person also authorized to access PHI controlled by a Covered Component, as long as the information received as a result of such disclosure does not result in further inappropriate use or disclosure.
    • A disclosure of PHI where an employee of a Covered Component of the NIU Hybrid Covered Entity has a good faith belief that an unauthorized person who received the information would not reasonably be able to retain such information.
  • Presumption of Breach: An acquisition, access, use, or disclosure of PHI is presumed to be a Breach unless the NIU Hybrid Covered Entity, or applicable Business Associate, can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
    • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
    • The unauthorized person who used the PHI or to whom the disclosure was made;
    • Whether the PHI was actually acquired or viewed;
    • The extent to which the risk to the PHI has been mitigated, including the extent and efficacy of mitigation; and 

    • Other mitigating factors considered by the NIU Hybrid Covered Entity that are relevant to the risk assessment. [45 CFR § 164.402].
  • Unsecured Protected Health Information (PHI) is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons

Breach Notification Requirements

Following a breach of Unsecured PHI, Covered Entities must provide notification of the breach to affected individuals, the Secretary of Health and Human Services, and – in some circumstances – to the media. Business Associates must notify Covered Entities if a breach occurs at or by the Business Associate. Notifications will be carried out in compliance with the Health Information Technology for Economic and Clinical Health Act (HITECH), as well as any other applicable federal or state notification law.

Notification is not required if PHI is secure via encryption; provided, however, that encryption keys must be kept on a separate device from the data they encrypt or decrypt. Nothing in this policy is meant to require a Covered Component to provide information to an individual that is privileged under the attorney-client privilege, licensed mental health professional or other privilege laws. Further, the NIU Hybrid Covered Entity will not disclose the names of any employees or other individuals involved in the breach or any specific sanctions taken against such employees. 

  1. Individual Notice: Covered Entities must notify, in writing via first-class mail or email, any affected individuals following the discovery of a breach of Unsecured PHI. Notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a Breach. The notice should include:
    • A brief description of the Breach;
    • A description of the types of information involved in the Breach;
    • The steps affected individuals should take to protect themselves from potential harm;
    • A brief description of what the Covered Entity is doing to investigate the Breach, mitigate the harm, and prevent further Breaches; and
    • Contact information for the Covered Entity or Business Associate. 
  2. Media Notice: In addition to Individual Notice, a Breach that affects 500 or more residents of a State or jurisdiction must provide notice to prominent media outlets serving the State or jurisdiction. The notice is often in the form of a press release and must be provided without unreasonable delay and in no case later than 60 days following the discovery of a Breach. The media notice must include the same information required for the Individual Notice.

Notice to the Secretary of Health and Human Services: In addition to Individual Notice, Covered Entitles must notify the Secretary via electronic submission at the HHS website. If the Breach affects 500 or more individuals, Covered Entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a Breach. If the Breach affects fewer than 500 individuals, the Covered Entity may notify the Secretary within 60 days of the eST), specifically NIST’s Special Publication (SP) 800-53, Revision 4, Appendix J: the Privacy Control Catalog in Security and Privacy Controls for Federal Information Systems and Organizations (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf)