HIPAA Breach Notification Rule

Ep. 84: Know The Rules! HIPAA Breach Notification Rule

HHS is not the only game in town

In this week’s installment of Know The Rules! I am breaking down the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, directly from Health and Human Services (HHS).

HIPAA Breach Notification Rule requires Covered Entities (CEs) AND their Business Associates (BAs) to provide notification following a breach of unsecured protected health information (PHI).


Did you also know that the Federal Trade Commission (FTC)


State Attorney General’s have also implemented and enforced similar breach notification provisions to vendors (i.e., BAs) of personal health records AND their third party service providers.

CEs and BAs that fail to comply with HIPAA Rules can AND have received civil and criminal penalties.

You should know the Office of Civil Rights opens a compliance review of ALL reported breaches that affect 500 or more individuals and many breaches affecting fewer than 500.

Don’t give them an engraved invitation into YOUR business!!

HIPAA alli

And IF it DOES happen, be sure ALL your compliance ducks are in a row. They WILL be looking…

The Breach Notification Rule: What to Do If You Have a Breach

A healthcare breach is an impermissible use OR disclosure under the Privacy Rule that compromises the security OR privacy of your patients PHI.

An impermissible use OR disclosure of unsecured protected health information is presumed to be a breach unless the CE or BA demonstrates, based on a breach risk assessment, that there is a low probability that the patients PHI has been compromised.

When a breach of unsecured protected health information DOES occur, the Breach Rule requires CEs to notify affected individuals, the Secretary of HHS, AND, in some cases, the media, I’ll explain this in more detail later when I discuss Reporting Breaches.

Here are some examples of Secured and Unsecured PHI:

The Breach Notification Rule requires CEs to notify affected individuals, and the Secretary of HHS of the loss, theft, or other impermissible uses or disclosures of unsecured PHI.

CEs must promptly notify the Secretary of HHS if there is any breach of unsecured protected health information that affects 500 or more individuals, and they must notify the media if the breach affects more than 500 residents of a state or jurisdiction.

If a breach affects fewer than 500 individuals, the CE MUST notify the Secretary AND affected individuals. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days AFTER the end of the calendar year the breach occurred.

HHS Breach Portal a.k.a. “Wall of Shame”

Significant breaches ARE investigated by OCR, and penalties may be imposed for failure to comply with the HIPAA Rules. Breaches that affect 500 or more patients are publicly reported on the OCR website, affectionately referred to as the “Wall of Shame.”

This is NOT a place YOU want to be. Once your name is on the wall it is forever on the wall!!

Similar breach notification provisions have also been implemented AND enforced by the Federal Trade Commission apply to Personal Health Record (PHR) developers AND their third-party service providers.

If you can demonstrate through a risk assessment that there is a low probability that the use OR disclosure compromised unsecured protected health information, then breach notification is not necessary.

It is important to remember the Breach Risk Assessment is NOT the same as the periodic security risk analysis required by the Security Rule.

And, if you encrypt your data in accordance with the OCR guidance regarding rendering data unusable, unreadable, or indecipherable, you may avoid reporting what would otherwise have been a reportable breach.

Remember, encryption depends on the encryption key being kept highly confidential, so do NOT store it with the data OR in a location that would compromise it.

Join us in our new Members Only platform to access your copy of our HIPAA Breach Notification checklist.