The HIPAA Breach Notification Rule: What it Really Means to Providers and Insurers

September 15th, 2017

For many providers and insurers, the Breach Notification Rule is still a puzzle waiting for a solution. Partly, this is due to the fact that the rule is complex in itself, and requires attention to every detail. As a matter of fact, we cannot expect to be at our best when someone has stolen our sensitive information.

Do you understand the HIPAA breach notification rule?

To address this problem in the wake of rising health data breaches, we have compiled an easy-to-understand guide to the Breach Notification Rule. Let’s begin the journey with a quick overview of the Breach Notification Rule and its purpose.

Overview of Breach Notification Rule

Breach Notification Rule is a part of the Health Information Portability and Accountability Act, 1996 (HIPAA).

The rule requires covered entities, where a breach or disclosure of patients’ unsecured protected health information (PHI) has taken place, to notify:

  • The affected individuals.
  • The Secretary of HHS.
  • And in some cases, the media after confirming the breach in their organization.

Simply put, the HIPAA Breach Notification Rule protects patients’ right to privacy, secrecy, and information.  

Know the Terminology Related to the Breach Notification Rule

What is A Breach?

A breach occurs when an unauthorized person accesses and/or discloses the unsecured protected health information. Notably, the access or disclosure should result in compromise of security or privacy of PHI. 

What is Not A Breach?

Whether or not every unauthorized access is a breach primarily depends on the extent of damage that can result from the incident. That said, a breach does not include the following situations.

  1. Unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate.
  2. Unintended disclosure of PHI by an authorized person to another authorized person. However, further disclosure is essentially a breach.
  3. The final exception is a bit hard to understand. This states, “the incident is not a breach if the covered entity or business associate strongly believes that the person who has the access is unable to retain the information.” What they are getting it is the belief that the PHI is unsafe and likely to be breached where it currently resides.

What is Unsecured PHI?

Unsecured protected health information is protected health information that is usable, readable, or decipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.

An unauthorized person may use, read, and decipher PHI that he/she obtains because your practice:

  • Does not encrypt or destroy the PHI.
  • Encrypts PHI, but the decryption key is not a secret now.

How Much Time Does Business Have to Report Breaches?

Businesses report as soon as possible after they are sure a breach has taken place. In fact, the time limit depends on the number of the individuals the disclosure has affected.

Breaches exposing PHI of 500 or more individuals. In such case, the business has to report breaches to the Secretary of HHS promptly. Or, no later than 60 days from the date of breach discovery. Note that breaches that affect 500 or more patients appear publicly on the OCR website. In addition to notifying the HHS Secretary, a business must:

  • Send breach notification letters to individual PHI owners.
  • Notify the media if the breach affects more than 500 residents of a state or jurisdiction.

Breaches exposing PHI of fewer than 500 individuals. The business has to send the breach reports (affecting fewer than 500 individuals) to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred. Meaning, these reports can be annual depending on the degree of potential damages.

Do All Breaches Need to Be Reported?

No. HIPAA Breach Notification Rule may not ask you for a report under certain circumstances. These include the situations where:

You can demonstrate through a risk assessment that there is a low probability that the use or disclosure compromised unsecured PHI, then breach notification is not necessary.

Not all HIPAA breaches need to b reported

Note: This breach-related risk assessment is different from the periodic security risk analysis required by the Security Rule.

You encrypt your data following the OCR guidance regarding rendering data unusable, unreadable, or indecipherable.

Note: It is critical that you keep the encryption key highly confidential. So, do not store it with the data or in a location that would compromise it.

What You Should Know

The exemption from breach reporting is known as “safe harbor”. As a matter of fact, “safe harbor” is highly advantageous to the organizations as it saves them from adverse publicity and probably a lawsuit.

Check state laws. Some states have chosen to eliminate safe harbor as an exemption for certain kinds of data breaches and these laws seem to be changing frequently.

Finally, just because your data is encrypted does not mean that it meets the minimum guidelines for being secure under HIPAA. Use of weak forms of encryption do not fully protect the data and may cause breaches being excluded from safe harbor.

Does Breach Notification Rule Apply to Business Associates?

Of course,

The Breach Notification Rule requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.

If you are struggling to remember what is a business associate. Here is a quick reminder: A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. 

Where Do You Report Breaches?

You must report breaches by filling the form on the web portal of Office for Civil Rights (OCR) within:

  • 60 days of the discovery of breach affecting 500 or more individuals.
  • 60 days of the end of the calendar year in which the breach was discovered. (This is for the breach affecting fewer than 500 individuals). However, this does not mean you have to wait until the end of the calendar year to report the breaches affecting fewer than 500 individuals. You can notify as soon you discover them.

In case you do not know the number of the individuals affected at the time of submission, provide an estimate. If you come to know it later, you should submit updates.

If you have any questions, you may call HHS OCR toll-free at 1-800-368-1019, TDD: 1-800-537-7697 or send an email to

How is Breach Notification Letter Sent to Patients?

The covered entity where a breach has taken place should send breach notification letters to the affected individuals. Essentially, there should be no unreasonable delay in informing the patients about the breaches of their PHI.

The following information must be present in the breach notification letter:

  • An overview of the nature of the breach and elaborate information on the type of the compromised data. Moreover, it should include details of the steps the covered entity or business associate are taking to prevent similar incidents in future.
  • Steps that the affected individual can take to prevent potential harm.
  • A toll-free number that connects the affected individuals with the covered entity and answers their query about the breach. The toll-free number must remain active for 3 months from the date of issuance of the notification letter.

Where is the List Showing Reported Breaches?

You can find the list showing reported breaches in the HHS OCR’s web portal. The page lists all breaches reports from the last 24 months that are currently under OCR investigation.  Also, you can find the archived breaches. If you wish to learn more, you may use “advanced options” for searching.

Penalties For Breach Notification Delay

You are liable for a penalty if you fail to notify the Secretary of HHS in the proper amount of time. The penalty amount varies greatly depending on the category of the violation. In any case, the maximum penalty does not go beyond $1,500,000 for each violation of HIPAA Rules.

Key Takeaways

  • Breach Notification Rule protects the patients’ right to information regarding the breaches in their PHI.
  • It applies only to the covered entities and their business associates.
  • Breach Notification Rule has two categories of breaches: 1) involving PHI of 500 or more patients. 2) affecting fewer than 500 patients. All the procedures and requirements for beach notification depend on this category.
  • In special cases, an organization can avoid reporting a breach by properly encrypting the data. This is called “safe harbor”. But encryption alone does not guarantee safe harbor.

Learn how to better protect PHI in your communications: request a Free Consultation