A HIPAA breach of unsecured protected health information (PHI) occurs when PHI is accessed, used, or disclosed in a manner not permitted under HIPAA, compromising its privacy and security. The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media, following a breach.
Exceptions include unintentional access by authorized personnel, inadvertent disclosures within the same organization, and cases where the recipient cannot retain the information.
A breach is presumed unless the entity can demonstrate a low probability that PHI was compromised, based on factors such as:
– The nature and extent of the PHI involved.
– The unauthorized person who accessed or received the PHI.
– Whether the PHI was actually acquired or viewed.
– The extent to which the risk was mitigated.
Under Section 13402(h)(2) of Public Law 111-5, protected health information (PHI) is considered unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals using approved technologies or methodologies. The Department of Health and Human Services (HHS) has issued guidance specifying that PHI is secured if:
– Electronic PHI is encrypted using NIST-approved algorithms, ensuring that unauthorized individuals cannot access or interpret the data without the decryption key.
– Paper or hard copy PHI is destroyed through shredding or incineration, making it impossible to reconstruct.
– Electronic media containing PHI is sanitized following NIST Special Publication 800-88, ensuring that data cannot be retrieved.
If PHI is not protected using these methods, it is considered unsecured, and any unauthorized access or disclosure may trigger HIPAA breach notification requirements.
A covered entity must notify individuals of a HIPAA breach involving unsecured protected health information (PHI) without unreasonable delay and no later than 60 days after discovery. The notification should include:
– A brief description of the breach: What happened, including the date of the breach and date of discovery.
– Types of PHI involved: Whether names, Social Security numbers, medical records, or financial data were exposed.
– Steps individuals should take: Guidance on how affected individuals can protect themselves from potential harm.
– Actions taken by the covered entity: How the entity is investigating, mitigating harm, and preventing future breaches.
– Contact information: A toll-free number, email, website, or postal address for individuals to ask questions or get more details.
The notification must be provided in written form, either by first-class mail or email if the individual has agreed to electronic communication. If the entity lacks sufficient contact information, it must use alternative methods, such as posting on its website or issuing a media notice for breaches affecting 500 or more individuals.
Business Associate
Under the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), both covered entities and business associates can be responsible for a breach of unsecured protected health information (PHI), depending on the circumstances.
A business associate must notify the covered entity of a HIPAA breach involving unsecured protected health information (PHI) without unreasonable delay and no later than 60 days after discovery. The notification should include:
– Identification of affected individuals: Names of those whose PHI was accessed, acquired, used, or disclosed.
– Details of the breach: Description of what happened, when it occurred, and how it was discovered.
– Types of PHI involved: Information on whether names, Social Security numbers, medical records, or financial data were exposed.
– Mitigation efforts: Steps taken to contain the breach, prevent further harm, and reduce risks.
– Required information for individual notifications: Any additional details the covered entity must include in its breach notification to affected individuals.
The Business Associate Agreement (BAA) between the two parties typically outlines specific responsibilities for breach response and notification.
The covered entity is ultimately responsible for notifying affected individuals, the Department of Health and Human Services (HHS), and, if applicable, the media. However, the business associate agreement may state that the Business Associate will be responsible for making the notifications or reimbursing the Covered Entity for certain costs of the breach and/or breach notifications.
If a covered entity directly causes a breach, it must notify affected individuals, HHS, and the media (if the breach affects 500 or more individuals) within 60 days.
Security Incident
Under HIPAA, a security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of electronic protected health information (ePHI) or interference with system operations in an information system. This means that even unsuccessful hacking attempts, phishing attacks, or malware infections qualify as security incidents under HIPAA. Covered entities and business associates must have policies and procedures in place to identify, respond to, mitigate, and document security incidents to comply with the HIPAA Security Rule.
The HIPAA Security Rule requires covered entities to implement policies and procedures to address security incidents, ensuring timely identification, response, mitigation, and documentation of threats to electronic protected health information (ePHI). Specifically, under 45 CFR § 164.308(a)(6)(i), organizations must:
– Define security incidents: Establish criteria for identifying unauthorized access, use, disclosure, modification, or destruction of ePHI.
– Develop response protocols: Implement procedures to detect, investigate, and contain security incidents.
– Mitigate harmful effects: Take corrective actions to reduce risks and prevent recurrence.
– Document incidents and outcomes: Maintain records of security events, response actions, and resolutions.
– Report incidents as required: Ensure compliance with internal policies and regulatory reporting obligations.
The Security Rule allows flexibility in how organizations structure their security incident policies, enabling them to tailor responses based on risk assessments and operational needs.
Business associates are required to report all security incidents, including unsuccessful attempts, to the covered entity they serve. The HIPAA Security Rule mandates that business associates identify, respond to, mitigate, and document security incidents. However, the level of detail, frequency, and format of these reports can be defined in the Business Associate Agreement (BAA).