According to the HIPAA breach notification rule, a breach is defined as the "acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA privacy rule, which compromises the security or privacy of the protected health information." In other words, any unauthorized acquisition, access, use, or disclosure of PHI that jeopardizes its confidentiality, integrity, or availability is considered a breach.
HIPAA regulations, however, do provide some exceptions to the definition. These exceptions include situations where a workforce member or person acting under the authority of a covered entity or business associate accidentally accesses or discloses PHI, as long as the unauthorized use or disclosure does not result in further impermissible use or disclosure.
Additionally, a use or disclosure not permitted by the privacy rule may not be considered a breach if the covered entity or business associate can demonstrate through a risk assessment that there is a low probability of the PHI's security or privacy being compromised.
Read more: Healthcare privacy risk assessment
A risk assessment for determining whether a breach has occurred must consider several factors, including:
Read also: How to perform a risk assessment
When a HIPAA breach is identified, covered entities must notify affected individuals within 60 days. The notification should include a description of the breach, the nature of the information involved, and advice on steps individuals can take to protect themselves. Covered entities must also notify the Department of Health and Human Services (HHS) within 60 days for breaches involving more than 500 individuals, or at the end of the calendar year for breaches involving fewer than 500 individuals.
Related: Navigating HIPAA’s Breach Notification Rule
Entities that perform services on behalf of covered entities, known as business associates, are also subject to the breach notification rule. If a business associate identifies a breach, they must notify the covered entity they are working with within 60 days and provide the necessary information for the covered entity to comply with the notification requirements.
A HIPAA violation is an event or lack of an event that violates a HIPAA standard or implementation specification, such as failing to implement physical safeguards to restrict workstation access. While HIPAA violations can lead to breaches, only breaches are reportable events under the breach notification rule.
See more: Understanding HIPAA violations and breaches
The HITECH Act in 2009 requires covered entities and business associates to demonstrate that all necessary notifications have been made or that a use or disclosure not permitted by the privacy rule was not considered a breach. Failure to comply with the breach notification rule can result in significant penalties, including civil monetary penalties and, in some cases, criminal penalties.
Learn more: HIPAA Compliant Email: The Definitive Guide
Identifying a HIPAA breach involves recognizing any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Monitoring access logs, conducting regular security assessments, and promptly investigating suspicious incidents are steps in identifying potential breaches. Early detection can make harm mitigation easier and help fulfill reporting requirements under HIPAA regulations.
Individuals who believe their PHI has been breached should report the incident to the covered entity or business associate responsible. They should also monitor their financial accounts and medical records for any signs of fraudulent activity.
The penalties for HIPAA violations can vary depending on the severity and circumstances of the violation. Civil monetary penalties can range from $100 to $50,000 per violation, with a maximum annual penalty of $1.5 million for all violations of an identical provision. However, penalties can be higher for cases involving willful neglect. They can include criminal charges, which may result in fines of up to $250,000 and imprisonment for up to 10 years for the most severe violations.
Yes, covered entities can be held liable for HIPAA breaches caused by their business associates if the business associate was acting within the scope of their agreement with the covered entity at the time of the breach.