Under the HIPAA Privacy Rule, a breach is defined as:
Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
Based on this definition, merely having been vulnerable to a security exploit (e.g. Heartbleed) does not constitute a beach and does not trigger breach notification law.
So — just because you used a system that was vulnerable to Heartbleed, does not mean that a breach occurred or that any type of reporting is needed. Imagine if it did … practically everyone would have to report and that would overwhelm Health and Human Services!
Read the rest of this post »