What’s the Breach Notification Rule for HIPAA?

A data breach within your business. You think it won't happen, you hope it doesn't happen, but what if it does happen? What are your next steps?

Timing is Everything

Like most things in healthcare, timing is essential. You need to think quickly and act swiftly during a time when your head might not be set and sorted to do so. And again, like our own health, preparation today can allow for survival and a healthy outcome in the end.

Doing a risk assessment is the first step. You can’t fix what you’re unaware of. If there are gaps in your security posture, they need to be addressed by you, not found by a cybercriminal. Then these gaps can be closed, the weaknesses strengthened, and ongoing education can be set up alongside strong cybersecurity and HIPAA compliance products and tools. Being proactive is key in saving time, money, and potentially your business, but if you are reading this because you’ve been breached, or suspect you’ve been breached, you’ll need to kick into reactive mode – quickly.

What is a Breach?

The US Department of Health and Human Services (HHS) defines a breach as “generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” If your business can demonstrate that there is a low probability of the PHI being compromised, then it can be dismissed as a “breach” – but something to address, nonetheless. Demonstrating this low probability is based on a risk assessment of the following factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has been mitigated.

What Next?

If you are determined to have been the victim of a breach, you need to follow the Breach Notification Requirements. This means as a covered entity, you must notify the individuals who are affected, the Secretary of Health and Human Services, and the media in certain circumstances. That notice must be in written form to the individuals via first class mail, or e-mail IF the person affected has agreed to receive their notifications electronically. Should it be discovered that 10 or more of the contact records are outdated, the notice must be on their home page for 90 days or via an alert on a major print or broadcast media in the market where the individuals reside. This alert must include a toll-free phone number where people can call to see if they were affected by the breach.

The covered entity has 60 days following the discovery of the breach to provide these individual notifications, which should include a description of the breach and the description of the information that was compromised. Additionally, the steps that should be taken by anyone affected to protect themselves are to be included, and a brief description of what the covered entity is doing to investigate the breach and mitigate the damage as well as prevent future breaches should also be included.

If you are involved in a breach, there are additional steps and measures that should be taken immediately or as soon as possible. There are different rules that apply to business associate relationships and additional administrative requirements that must be followed, and without the guidance of a trusted advisor in a situation like this, you may be opening your business up to further damage.

While it stands that employees have “some understanding” of HIPAA, having the right partner with you during these times is as critical as hiring a qualified electrician to wire your house – not someone who has “some understanding” of how it should be done.


We are a proud partner of HIPAA Secure Now!, a company of HIPAA experts dedicated to helping medical entities stay compliant and keeping their data safe.  Contact us today to learn more about our HIPAA compliance and cybersecurity offerings.

Thank you HIPAA Secure Now! (www.HIPAAsecurenow.com) for the contents of this article.


Want more cybersecurity tips to help keep your business safe & secure? Sign up for our email newsletter and have new articles & tips delivered straight to your inbox monthly.

Posted in

Tracy Hardin

Tracy Hardin is President and founder of Next Century Technologies in Lexington, KY. She has a bachelor's degree in computer science from the University of Kentucky and has earned certifications from Novell, Cisco and CompTIA. Her specialties in the field of IT are network design and security, project management and improving productivity through technology. She loves helping people by sharing her knowledge of tech.