What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected health information. A breach is generally defined as the impermissible use or disclosure of PHI under the Privacy Rule that compromises the security or privacy of the protected information.
An impermissible use or disclosure is presumed to be a breach unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised based on a thorough risk assessment.
Who Must Comply with Breach Deadlines?
These requirements apply directly to HIPAA covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. Additionally, business associates—third-party vendors handling PHI on behalf of a covered entity—must comply.
When a business associate discovers a breach, they must notify the covered entity without unreasonable delay, and in no case later than 60 days from discovery. The covered entity is then responsible for ensuring the final notifications to individuals and the government are issued on time.
The 60-Day Clock for Individual Notifications
Under the rule, covered entities must notify affected individuals without unreasonable delay and in no case later than 60 days following the discovery of a breach. The discovery date is the first day the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is an employee or agent of the entity.
It is critical to note that 60 days is the absolute outer limit. The standard of 'without unreasonable delay' means that if an organization can reasonably notify individuals within 15 or 30 days, they are expected to do so. Delays are only permitted if requested by law enforcement.
The 500-Patient Threshold: HHS and Media Notification
The number of individuals affected dictates how and when HHS and the media must be notified. If a breach affects 500 or more individuals, the covered entity must notify the Secretary of HHS concurrently with the individual notices—meaning within the same 60-day timeframe.
Furthermore, if a breach affects more than 500 residents of a specific state or jurisdiction, the entity must also provide notice to prominent media outlets serving that region, also within 60 days.
For breaches affecting fewer than 500 individuals, the entity must still notify the affected people within 60 days. However, the notice to the HHS Secretary may be submitted annually, no later than 60 days after the end of the calendar year in which the breaches were discovered.
The 4-Factor Risk Assessment
Before declaring a breach, an entity may conduct a risk assessment to determine if there is a low probability that the PHI was compromised. If low probability is proven, notification may not be necessary.
The HHS mandates evaluating at least four specific factors: the nature and extent of the PHI involved (including identifiers), the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated.
- Factor 1: Nature and extent of the PHI involved.
- Factor 2: The unauthorized person who received the PHI.
- Factor 3: Whether the PHI was actually acquired or viewed.
- Factor 4: The extent of risk mitigation steps taken.
Frequently asked questions
When does the 60-day HIPAA breach notification clock officially start?
The clock starts on the date the breach is discovered, which means the first day the entity knows or should have known about the breach, not the date the investigation is finished.
What happens if law enforcement asks us to delay notification?
If a law enforcement official states that a notification would impede a criminal investigation, you may delay the notice. The delay must be documented and bound by the terms specified by the official.
Are business associates allowed 60 days to report a breach to the covered entity?
Yes, but they must report it 'without unreasonable delay' up to 60 days. Covered entities often require shorter reporting windows (e.g., 24 to 72 hours) in their Business Associate Agreements.
Does encrypted data trigger a breach notification?
If the compromised PHI was properly encrypted according to NIST standards and the decryption key was not compromised, it is not considered a breach of unsecured PHI and does not require notification.