What is considered a breach of HIPAA?

According to the HIPAA breach notification rule, a breach is defined as the "acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA privacy rule, which compromises the security or privacy of the protected health information." In other words, any unauthorized acquisition, access, use, or disclosure of PHI that jeopardizes its confidentiality, integrity, or availability is considered a breach.

Exceptions to the breach definition

HIPAA regulations, however, do provide some exceptions to the definition. These exceptions include situations where a workforce member or person acting under the authority of a covered entity or business associate accidentally accesses or discloses PHI, as long as the unauthorized use or disclosure does not result in further impermissible use or disclosure. 

Additionally, a use or disclosure not permitted by the privacy rule may not be considered a breach if the covered entity or business associate can demonstrate through a risk assessment that there is a low probability of the PHI's security or privacy being compromised.

Read more: Healthcare privacy risk assessment 

Factors in a risk assessment

A risk assessment for determining whether a breach has occurred must consider several factors, including:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification,
• The unauthorized person who used the PHI or to whom the disclosure was made,
• Whether the PHI was acquired, accessed, used, or disclosed,
• The extent to which the risk to the security or privacy of the PHI has been mitigated.

Read also: How to perform a risk assessment 

Notification requirements for HIPAA breaches

When a HIPAA breach is identified, covered entities must notify affected individuals within 60 days. The notification should include a description of the breach, the nature of the information involved, and advice on steps individuals can take to protect themselves. Covered entities must also notify the Department of Health and Human Services (HHS) within 60 days for breaches involving more than 500 individuals, or at the end of the calendar year for breaches involving fewer than 500 individuals.

Related: Navigating HIPAA’s Breach Notification Rule 

Business associate responsibilities

Entities that perform services on behalf of covered entities, known as business associates, are also subject to the breach notification rule. If a business associate identifies a breach, they must notify the covered entity they are working with within 60 days and provide the necessary information for the covered entity to comply with the notification requirements.

Differences between violations and breaches

A HIPAA violation is an event or lack of an event that violates a HIPAA standard or implementation specification, such as failing to implement physical safeguards to restrict workstation access. While HIPAA violations can lead to breaches, only breaches are reportable events under the breach notification rule.

See more: Understanding HIPAA violations and breaches 

Enforcement and penalties

The HITECH Act in 2009 requires covered entities and business associates to demonstrate that all necessary notifications have been made or that a use or disclosure not permitted by the privacy rule was not considered a breach. Failure to comply with the breach notification rule can result in significant penalties, including civil monetary penalties and, in some cases, criminal penalties.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQs

How can you identify a breach?

Identifying a HIPAA breach involves recognizing any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Monitoring access logs, conducting regular security assessments, and promptly investigating suspicious incidents are steps in identifying potential breaches. Early detection can make harm mitigation easier and help fulfill reporting requirements under HIPAA regulations. 

What should individuals do if they believe their PHI has been breached?

Individuals who believe their PHI has been breached should report the incident to the covered entity or business associate responsible. They should also monitor their financial accounts and medical records for any signs of fraudulent activity.

What are the penalties for HIPAA violations?

The penalties for HIPAA violations can vary depending on the severity and circumstances of the violation. Civil monetary penalties can range from $100 to $50,000 per violation, with a maximum annual penalty of $1.5 million for all violations of an identical provision. However, penalties can be higher for cases involving willful neglect. They can include criminal charges, which may result in fines of up to $250,000 and imprisonment for up to 10 years for the most severe violations.  

Are healthcare organizations liable for HIPAA breaches caused by their business associates?

Yes, covered entities can be held liable for HIPAA breaches caused by their business associates if the business associate was acting within the scope of their agreement with the covered entity at the time of the breach.