Breach – Defined: An impermissible use or disclosure of unsecured protected health information (PHI) is presumed to be a breach unless the covered entity or business associate demonstrates that, based on a risk assessment, there is a low probability that the PHI has been compromised.
How to Perform a Risk Assessment: In performing a HIPAA breach risk assessment, a covered entity should consider factors that include, but are not limited to:
• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.
If a covered entity has an incident and its risk assessment concludes there was a very low probability that the PHI was compromised, the incident does not rise to the level of a “breach” requiring individual, government, and media notice. If the risk assessment determines that a breach occurred, the covered entity must follow the appropriate breach notification procedures.
Individual Notice | Media Notice | Dept. of HHS Notice |
No Later Than 60 Days Following Breach Discovery | Breach Affecting 500+ Residents of State/Jurisdiction | Notify Secretary of Breach of Unsecured PHI |
Provide Brief Description of the Breach | Notice to Prominent Media Outlets Serving Area | Fill Out and Electronically Submit a Breach Report Form |
Type of Information Involved in the Breach | Press Release to Appropriate Media Outlets | Breach Affecting 500+: No Later than 60 Days Following Breach Discovery |
How Individuals Can Protect Themselves from Harm | No Later Than 60 Days Following Breach Discovery | Breach Affecting < 500: Annually – No Later than 60 Days After Calendar Year-End |
Description of Breach Investigation, Mitigation and Prevention | Must Include Same Information as Individual Notice |
|
Exceptions to Breach Definition: The following are not considered a breach under HIPAA if such acquisition, access, or use was made in good faith, within the scope of authority, and does not result in further use or disclosure in an impermissible manner.
1. Unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate.
2. Inadvertent disclosure of PHI when made by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate.
3. Covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.