Breach Notification Rule

The Rule

The HIPAA Breach Notification Rule establishes requirements that must be followed in the event of a breach of Unsecured Protected Health Information (“PHI”) held by a Covered Entity (“CE”) or Business Associate (“BA”). Note that the key word is “unsecured“. If a computer or other electronic storage device containing PHI is properly encrypted its loss or theft would not be considered a breach of unsecured PHI. If, however, the computer was not encrypted its loss or theft would be a breach of unsecured PHI. Password protection is not encryption. And a computer in “sleep mode”, even with encryption software, is not secure. The device must be turned off.

Presumption Of Breach – Ransomware Attack

Any Use or Disclosure of unsecured PHI by CE or BA not permitted by the Privacy Rule is presumed to be a breach – unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised. A breach will be treated as discovered as of the first day on which the breach is known or should reasonably have been known to the CE or BA. A Ransomware Attack that encrypts EPHI maintained by a Covered Entity or Business Associate is presumed to be a Breach unless the victimized organization can demonstrate a low probability of compromise to the EPHI. Ransomware attacks that make EPHI unavailable for patient treatment may jeopardize patient safety and call for prompt breach notification to affected individuals.

Breach Risk Assessment - Determine if there is a Low Probability that PHI Has Been Compromised

The probability of PHI compromise requires consideration of at least the following factors:

The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
The unauthorized person who used the PHI or to whom the disclosure was made;
Whether the PHI was actually acquired or viewed;
The extent to which the risk to the PHI has been mitigated; and
In the case of a Ransomware Attack prompt evaluation of any issues that compromise patient safety.

Notification of Breach to Affected Individuals

A CE must notify affected individuals without reasonable delay and within sixty (60) calendar days from discovery of the breach except for circumstances involving delay requested by law enforcement. The notice of breach must provide information describing the PHI involved, steps the individual should take for protection, steps the CE is taking to investigate, mitigate harm and prevent further breaches, contact information for individuals to learn more including a toll-free telephone number, an e-mail address, website, or postal address.

Breaches Affecting More Than 500 Individuals

If the breach involves unsecured PHI of more than 500 residents of a state or jurisdiction the CE must provide notice of the breach to prominent media outlets in the state/jurisdiction. CEs must report breaches affecting 500 or more individuals to HHS immediately regardless of where the individuals reside. “Immediately” generally is considered to mean at the same time notification is sent to the affected individuals.

Annual Breach Report to HHS

All breaches of unsecured PHI affecting fewer than 500 individuals must be reported to HHS within sixty (60) days after the end of the calendar year in which the breach was discovered.

Report of Breach from BA to CE

A BA must notify Covered Entities within sixty (60) days of discovery of a breach of unsecured PHI. The CE is ultimately responsible for notifying individuals of the breach. The time required for the CE to notify individuals of a breach by a BA is within sixty (60) days of receipt of notification by the CE of the breach from the BA unless the BA is an “agent” of the CE in which case the discovery of the breach by the BA is the start of the sixty (60) day notification period by the CE.

The HHS "Wall of Shame"

HHS maintains the so called “Wall of Shame” on its website documenting breaches of unsecured protected health information affecting 500 or more individuals. To see the current Wall of Shame click here.