Share this article on:
It is important to know what is considered a breach of HIPAA because Covered Entities are required to report breaches of HIPAA to affected individuals and the Department of Health and Human Services under the Breach Notification Rule. Covered Entities that fail to comply with the Breach Notification Rule – or fail to do so in a timely manner – can be issued substantial penalties.
The text of HIPAA is very clear about what is considered a breach of HIPAA – § 164.402 of the Breach Notification Rule defining a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part [the HIPAA Privacy Rule] which compromises the security or privacy of the protected health information.”
When a breach of HIPAA is identified, Covered Entities must notify affected individuals within sixty days. The notification must include a description of the breach, the nature of information that was acquired, accessed, used, or disclosed, and advice about what steps individuals should take to protect themselves from potential loss or harm.
The Department of Health and Human Services (HSS) also has to be notified within sixty days of breaches involving more than 500 individuals; or, if the breach involves fewer than 500 individuals, at the end of the calendar year. In breaches involving more than 500 individuals, Covered Entities are also required to notify prominent media outlets serving the location.
Business Associates are also required to comply with the Breach Notification Rule. When a breach of HIPAA is identified by a Business Associate, they are required to notify the Covered Entity for whom they are providing a service within sixty days. The notification to the Covered Entity must include the information necessary for the Covered Entity to comply with the Breach Notification Rule.
Exceptions to the Breach Notification Requirements
There are exceptions to what is considered a breach of HIPAA. These are when a workforce member or person acting under the authority of a Covered Entity or Business Associate accesses PHI unintentionally or discloses PHI inadvertently “in good faith”, and the unauthorized use or disclosure of PHI does not result in a further use or disclosure not permitted by the Privacy Rule.
It is also the case that a use or disclosure not permitted by the Privacy Rule is considered a breach of HIPAA unless the Covered Entity or Business Associate can demonstrate by way of a risk assessment that there is a low probability the security or privacy of PHI has been compromised. The risk assessment has to take into account the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
- The unauthorized person who used the PHI or to whom the disclosure was made.
- Whether the PHI was actually acquired, accessed, used, or disclosed.
- The extent to which the risk to the security or privacy of PHI has been mitigated.
Since the passage of the HITECH Act in 2009, a burden of proof exists for Covered Entities and Business Associates to demonstrate that all notifications are made as required, or that a use or disclosure not permitted by the Privacy Rule was not considered a breach of HIPAA. Prior to HITECH, HHS had to prove harm had occurred due to a breach of HIPAA before taking enforcement action.
One further exception to the breach notification requirements is when breach notifications can be delayed beyond sixty days due to law enforcement involvement. However, this exception is subject to a Covered Entity and Business Associate acquiring documentation showing that a timely notification would impede a criminal investigation or cause damage to national security.
Is a Ransomware Attack Considered a Breach of HIPAA?
The definition of a HIPAA breach is often interpreted as “the acquisition, access, use, or disclosure of unsecured protected health information” – implying that, if PHI has been secured by encryption, a ransomware attack is not considered a breach of HIPAA. But that is not always the case. In 2021, HHS revised earlier guidance relating to the encryption of secured data in ransomware attacks.
The latest guidance notes that some methods of encryption decrypt PHI when a file is accessed by an authorized user. If a ransomware attack occurs while the file is still in use and the PHI decrypted, the PHI cannot be considered to have been secured and the ransomware attack is considered a breach of HIPAA that must be notified. HHS concludes that ransomware attacks are considered a breach of HIPAA on a “fact specific determination”.
What is the Difference between a Violation and a Breach?
Some sources conflate the terms violation and breach. It is important for Covered Entities and Business Associates to understand the difference between the two terms and what is considered a breach of HIPAA because, while HIPAA violations can be the cause of HIPAA breaches, only HIPAA breaches are reportable events.
Generally, a HIPAA violation is an event – or the lack of an event – that violates a HIPAA standard or implementation specification A HIPAA violation could be something relatively minor such as failing to implement physical safeguards to restrict workstation access to authorized users (which would be safe provided other safeguards are applied), or more serious – such as failing to respond to a patient access request in a timely manner.
The HHS Office for Civil Rights may find out about a HIPAA violation due to a patient complaint, an audit, or an investigation into a HIPAA breach, but HIPAA violations are not reportable events. Only events that meet the definition of a HIPAA breach are reportable – unless they fulfil one or more of the exceptions to the breach notification requirements.