Paubox blog: HIPAA compliant email made easy

Exceptions to HIPAA breach notifications rules

Written by Farah Amod | June 21, 2024

HIPAA safeguards protected health information (PHI) and requires covered entities and their business associates to promptly inform individuals and the Department of Health and Human Services (HHS) in the event of a breach. However, there are exceptions to HIPAA breach notifications that healthcare providers and other covered entities should be aware of, such as unintentional access, accidental disclosure, or unauthorized retention. 

 

What is a HIPAA breach?

HHS defines a breach as "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment." 

Conducting a comprehensive risk assessment assists in determining whether a breach has occurred. Factors include:

  • The nature and extent of the PHI involved
  • The likelihood of re-identification
  • The unauthorized personnel involved
  • The type of information accessed
  • The level of risk mitigation undertaken

Read more: HIPAA Compliant Email: The Definitive Guide

 

Understanding breach exceptions

The exceptions to HIPAA breach notifications provide guidelines to make accurate decisions, mitigate potential harm, and prevent disruptions to healthcare operations. 

While prompt breach notifications protect patient privacy and security, not all incidents require immediate notifications.

See alsoUnderstanding HIPAA violations and breaches

 

Exceptions to HIPAA breach notification

While immediate breach notification is typically required under HIPAA, there are three exceptions to HIPAA breach notifications. These exceptions acknowledge situations where the breach may not pose a significant risk to the privacy and security of PHI.

 

Unintentional access to PHI

If an employee unintentionally comes into contact with or uses PHI while acting in good faith and within their authorized role, the breach exception may apply. Two conditions must be met for this exception: the access or use must be unintentional and in good faith. Furthermore, the employee must refrain from disclosing the PHI in a manner prohibited by the HIPAA Privacy Rule.

 

Accidental disclosure to authorized personnel

When an individual authorized to access PHI shares it with another authorized person within the same covered entity, business associate, or organized healthcare arrangement, an exception can be invoked. To qualify for this exception, the disclosed information must remain within authorized channels and should not be used or shared improperly.

 

Unauthorized retention 

In cases where a covered entity genuinely believes that the unauthorized recipient of PHI would not have been able to retain the information, breach notification requirements may be waived.

 

Permitted uses and disclosures under HIPAA

While breach exceptions provide some leeway, there are also permitted uses and disclosures of PHI under HIPAA. The Department of Health and Human Services (HHS) outlines instances where healthcare providers can share PHI without explicit patient consent.

 

Treatment purposes

Healthcare providers can share PHI for treatment purposes, even without prior patient authorization. 

 

Healthcare operations activities

Covered entities can disclose PHI to other covered entities or their business associates for specific healthcare operations activities, even without patient consent. However, both entities should have a relationship with the patient, the requested PHI must pertain to that relationship, and the disclosing entity must only provide the minimum necessary information for the procedure or operation.

 

HIPAA breach notification requirements

While the exceptions provide some relief from immediate breach notifications, there are HIPAA breach notification requirements for situations that do not fall under these exceptions.

 

Individual notice

Covered entities must inform affected individuals within 60 days of discovering a breach. They can use letters or emails to notify individuals. If contact details for ten or more individuals are outdated, alternative methods such as posting the notice on the covered entity's website or using local media can be used.

 

Media notice

If a breach affects over 500 individuals in a state or jurisdiction, covered entities must also notify the media in that area. This can be done through press releases or other appropriate means. 

 

HHS Secretary's notice

Covered entities must inform the HHS Secretary about breaches through a form on the HHS website

 

Notification by a business associate

If a business associate is responsible for a breach, they must also inform the covered entity within 60 days of discovering the breach.

Go deeper: 

In the news

On April 26, 2024, the Federal Trade Commission (FTC) updated the Health Breach Notification Rule to include revised definitions and protocols that extend its coverage to health apps and other technologies not covered by HIPAA. This rule now requires vendors of personal health records and related entities to notify affected individuals, the FTC, and sometimes the media about any breach of unsecured personally identifiable health data. 

The updated rule, approved by a narrow 3-2 vote, also specifies new requirements for the content and methods of breach notifications, including the use of electronic communication like email. This action is based on feedback from approximately 120 comments received after a Notice of Proposed Rulemaking issued in May 2023.

See more: FTC enhances data protections with updated Breach Notification Rule 

 

FAQs

What actions must covered entities take if a HIPAA breach falls under one of the exceptions?

If a HIPAA breach falls under one of the exceptions outlined in the breach notification rule, covered entities are not required to notify affected individuals, HHS, or the media. However, covered entities must still document the breach and their determination that it falls under an exception. They should also take corrective action to prevent similar breaches in the future.

 

How does HIPAA define "low probability" in determining whether a breach exception applies?

HIPAA does not provide a specific definition of "low probability" in the context of breach exceptions. Instead, covered entities and business associates must conduct a risk assessment to determine whether there is a low probability that the PHI has been compromised. Factors to consider include the nature and extent of the PHI involved, the unauthorized person who accessed the PHI, whether the PHI was actually viewed or acquired, and the extent to which the risk to the PHI has been mitigated.

 

What documentation is required if a covered entity determines that a breach falls under an exception?

If a covered entity determines that a breach falls under one of the exceptions to reporting requirements, they must document the breach and the basis for determining that it meets the criteria for the exception. This documentation should include details of the breach, the individuals involved, the scope of the PHI affected, and the rationale for concluding that there is a low probability of compromise. Keeping thorough records is necessary to demonstrate compliance with HIPAA regulations.