The HIPAA Breach Notification Rule requires covered entities and business associates to notify certain parties following a breach of unsecured Protected Health Information (PHI), however, the covered entity or business associate must only provide the required notifications if the breach involved unsecured PHI.
Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the Secretary and, in certain circumstances, to the media. In addition, a business associate providing services on behalf of a covered entity must notify that covered entity if a breach occurs at or by the business associate. The notifying party may be either the covered entity or the business associate under whom the breach occurred, a decision that may be made internally.
A breach is generally defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Any impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the used or disclosed PHI has been compromised based on a risk assessment of at least the following factors: (i) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (ii) the unauthorized person who used the PHI or to whom the disclosure was made; (iii) whether the PHI was actually acquired or viewed; and (iv) efforts made to mitigate the PHIs exposure, the extent to which the risk to the PHI has been mitigated.
Covered entities must notify affected individuals following the discovery of a breach of unsecured PHI. These individual notifications must be provided without unreasonable delay and must be notified within 60 days following the discovery of a breach. In the event of a breach affecting 500 or more residents of a state or jurisdiction, covered entities must also provide notice to the media within the same time frame.
Covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that the use or disclosure of unsecured PHI did not constitute a breach. Thus, with respect to an impermissible use or disclosure, employees must maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required, specifically: (i) its risk assessment demonstrating a low probability that the PHI has been compromised by the impermissible use or disclosure; or (ii) the application of any other exceptions to the definition of breach.
Matt DeNoncour is the owner of Magis Law Firm, a solo law firm based in Boston, MA, where he provides legal services to the healthcare, biotechnology, and business communities. You can reach Matt at magislawfirm.com, by phone at 857-242-6826 or by email at matt@magislawfirm.com. This post is not meant to be legal advice: learn more here.
