Skip to main content

Breach Notification: When, Who & How Fast

Duration: 50 min · Level: Intermediate · Module: 6. HIPAA Security Rule & Access Control · Focus: breach-notification, HITECH, HHS, penalties, incident-response

Learning objectives

By the end of this lesson you will be able to explain and apply:

  • Breach definition
  • 4-factor risk assessment to determine if breach occurred
  • Notification to affected individuals
  • Notification to HHS
  • Notification to media

Why this matters

A HIPAA breach is the unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy.

Overview

A HIPAA breach is the unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. The Breach Notification Rule (added by HITECH 2009) requires specific notification to patients, HHS, and sometimes the media — on defined timelines that begin the day the breach is discovered.

Key concepts

Key idea

Breach definition: unauthorized acquisition, access, use, or disclosure of unsecured (unencrypted) PHI unless the covered entity can demonstrate low probability of compromise using a 4-factor risk assessment

  • 4-factor risk assessment to determine if breach occurred: (1) nature and extent of PHI involved, (2) who accessed/used the PHI, (3) whether PHI was actually acquired or viewed, (4) extent to which risk has been mitigated
  • Notification to affected individuals: must occur without unreasonable delay, not to exceed 60 days from discovery; must include description of breach, types of PHI involved, steps individuals should take, contact information
  • Notification to HHS: breaches affecting ≥500 individuals — notify HHS within 60 days of discovery; breaches affecting <500 individuals — log and submit annual report to HHS by March 1 of the following year
  • Notification to media: breaches affecting ≥500 individuals in a state or jurisdiction require notification to prominent media outlets in that state within 60 days; required in addition to individual notification
  • HIPAA penalty tiers (post-HITECH): Tier 1 (didn't know) = $100-$50,000/violation; Tier 2 (reasonable cause) = $1,000-$100,000; Tier 3 (willful neglect, corrected) = $10,000-$250,000; Tier 4 (willful neglect, not corrected) = $50,000-$1.9M/year

Check your understanding

Try to recall each answer before expanding it.

Q1. What do you know about Breach definition?

unauthorized acquisition, access, use, or disclosure of unsecured (unencrypted) PHI unless the covered entity can demonstrate low probability of compromise using a 4-factor risk assessment

Q2. What do you know about 4-factor risk assessment to determine if breach occurred?

(1) nature and extent of PHI involved, (2) who accessed/used the PHI, (3) whether PHI was actually acquired or viewed, (4) extent to which risk has been mitigated

Q3. What do you know about Notification to affected individuals?

must occur without unreasonable delay, not to exceed 60 days from discovery; must include description of breach, types of PHI involved, steps individuals should take, contact information

Q4. What do you know about Notification to HHS?

breaches affecting ≥500 individuals — notify HHS within 60 days of discovery; breaches affecting <500 individuals — log and submit annual report to HHS by March 1 of the following year

Q5. What do you know about Notification to media?

breaches affecting ≥500 individuals in a state or jurisdiction require notification to prominent media outlets in that state within 60 days; required in addition to individual notification

← Previous: C6.2 Role-Based Access Control & Minimum Necessary Access

Part of Module 6: HIPAA Security Rule & Access Control.