2 min read

What are the HIPAA requirements after a breach?

Lusanda Molefe Dec 16, 2024 7:16:12 PM

HIPAA Compliance

What are the HIPAA requirements after a breach?

Between April 2003 and October 2024, the U.S. Department of Health and Human Services (HHS) has recorded a staggering 374,322 cases of HIPAA breaches reported by covered entities.

According to the HHS, "The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI).".

What is a HIPAA breach?

The Code of Federal Regulations defines a breach as "the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information."

Any use or disclosure of PHI that is not permitted by the Privacy Rule in which the security and privacy of the PHI is compromised is considered a breach. You can read more about what constitutes a HIPAA breach here.

What are the exceptions?

In some instances, covered entities may not even need to do anything if the following applies:

Unintentional access of PHI by a person acting under the authority of a covered entity, as long as the information is not further used or disclosed inappropriately.
Inadvertent disclosure of PHI to another authorized individual within the same organization, as long as it is not further used or disclosed inappropriately.
If a risk assessment demonstrates a low probability that the PHI has been compromised then this may not be considered a breach.

What happens next?

The HHS states, "When a HIPAA breach occurs, different procedures exist for reporting the event depending on the number of unsecured patient records impermissibly acquired, accessed, used, or disclosed."

Covered entities are required to provide notification of the breach to the affected individuals, the Secretary, and in some instances, the media.

The HIPAA Breach Notification Rule outlines the steps that covered entities and their business associates must take after a breach. This rule requires the following action:

Notifying individuals: Covered entities need to notify affected individuals of a breach within 60 days of its occurrence.

This notification must include:

Description of the breach
Type of information that may have been accessed, such as social security numbers or contact details
Steps that the affected individuals can take to protect themselves from harm like changing their passwords and monitoring their financial accounts
A brief description of the actions that the covered entity is taking to investigate the breach and to prevent further breaches
The covered entity/business associate's contact information.

Notifying the media: If the breach affects more than 500 individuals, the covered entity should notify the media within 60 days of the breach occurring. This notice needs to include the same information as the individual notice and can be done in a press release to news outlets that cover the affected area.

Notifying the Secretary: In addition to the above steps, covered entities must notify the Secretary by visiting the HHS website and filling out and electronically submitting the breach report form.

If the breach affects more than 500 individuals, the Secretary must be notified within 60 days of the breach being discovered.
If the breach affects less than 500 individuals, then the Secretary may be notified no later than 60 days after the end of the calendar year in which the breach occurred.

Notifications by the business associate: If a business associate experiences a breach, they must notify the covered entity within 60 days of the breach.

This notice can include information about the identity of the individuals affected by this breach as well as any other information required by the covered entity.