The HIPAA rules require covered entities to provide notification after a breach of unsecured protected health information. A breach is an impermissible use or disclosure of protected health information that compromises its security or privacy. An impermissible use or disclosure is presumed to be a breach unless the covered entity demonstrates by a risk assessment that there is a low probability that the PHI has been compromised.
There are three exceptions that makes a use or disclosure not considered a breach. The first exception is when the unintentional use is by a workforce member acting under the authority of a covered entity if the use was made within good faith within the scope of authority. The second is when the disclosure is by a person authorized to access the PHI to another person authorized to access PHI and the information is not further used or disclosed. The third is if the covered entity has a good faith belief that the unauthorized person who received the impermissible disclosure would not have been able to retain the information.
Notification may be required only if the information is “unsecured.” Unsecured PHI is information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology required under the HIPAA rules.
After a breach of unsecured PHI, a covered entity must provide notice of the breach to affected individuals, the Secretary of the Department of Health and Human Services, and in certain cases, to the media.
The individual notice must be provided without unreasonable delay, and in no case later than 60 days following discovery of the breach. Notice to the media is required only if the breach affects more than 500 residents of a state or jurisdiction and must be made within the same time as the individual notice. Notice to the Secretary of HHS is completed online. For breaches impacting 500 or more residents of a state or jurisdiction, notice must be provided without unreasonable delay and in no case later than 60 days following a breach. If the breach impacts fewer than 500 people, notice to the Secretary is due no later than 60 days after the end of the calendar year in which the breach was discovered.
