What Are Reportable HIPAA Breaches? What Are the Exemptions?

Following the HIPAA breach notification requirements is a must for all HIPAA covered entities. This entails developing a breach response plan should a breach of protected health information occur. For covered entities that have yet to experience a heath data breach or just have began serving healthcare clients, they may not have a good working knowledge of the requirements. Nevertheless, failure to comply attracts financial penalty just the same.

According to the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), breaches involving electronic or physical copies of protected health information must be reported by covered entities and their business associates. A breach refers to the unauthorized acquisition, access, use or disclosure of protected health information. Reportable HIPAA breaches include ransomware attacks, improper disclosures, exposure of PHI, and unauthorized PHI access by employees and third parties. But there are PHI breaches that are exempted from the HIPAA Breach Notification Rule. These include:

• Breaches of secured PHI such as encrypted data without access to the key to unlock
• Unintentional (made in good faith) acquisition, access or use of PHI by an authorized person not resulting in further disclosure or use.
• Inadvertent disclosure of PHI by an authorized person to another equally authorized person within the organization
• When a covered entity or business associate disclosed PHI and has good faith that it was not retained by the person disclosed to.

In case that a reportable HIPAA breach occurred, the HIPAA Breach Notification Rule requires (1) notification by letter to all persons whose PHI have been accessed, disclosed, viewed or used; (2) notification of the Department of Health and Human Services Office; (3) notification of the media; (4) posting a substitute breach notice on the breach entity’s website; and (5) notification of the state attorney general.