The terms “violation” and “breach” are sometimes conflated in HIPAA-related discussions, and it is important for covered entities and business associates to understand the distinction between the two terms in order to respond appropriately to events considered a breach of HIPAA.
The distinction between what is consider a violation of HIPAA and what is considered a breach of HIPAA is quite clear. A violation of HIPAA is any event (or lack of event) that violates a HIPAA standard, while a breach of HIPAA is “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the HIPAA Privacy Rule] which compromises the security or privacy of the protected health information.” (See §164.402 for full definition).
Therefore, if a covered entity or business associate fails to comply with the training requirements, document a risk assessment, or respond to a right of access request (which some business associates are required to do), these events are violations of HIPAA which have not directly resulted in an impermissible use or disclosure of protected health information; and although most data breaches are attributable to a HIPAA violation, these events are not considered a breach of HIPAA.
Additionally, when a HIPAA violation occurs, it is usually identified via a patient´s complaint to the Department of Health & Human Services´ Office for Civil Rights (OCR); whereas, when an event considered a breach of HIPAA occurs, covered entities and business associates have a legal duty (under the HIPAA Breach Notification Rule) to inform OCR, the impacted individuals, and – in some cases – local media. The failure to comply with this legal duty is a further violation of HIPAA.
Reporting an Event Considered a Breach of HIPAA
When a HIPAA breach occurs, different procedures exist for reporting the event depending on the number of unsecured patient records impermissibly acquired, accessed, used, or disclosed. In all cases, affected individuals must be notified within 60 days of the breach being discovered. Data breach notifications must include a description of the breach, the type(s) of unsecured PHI impermissibly exposed, and advice on how individuals can protect themselves from loss or harm.
HIPAA breaches affecting fewer than 500 individuals must be notified to OCR at the end of each year. The notifications are sent via the OCR portal and must explain the type of breach (IT incident, improper disposal, theft of device, etc.), the location of the breach (workstation, EMR, mobile device, etc.), the type(s) of PHI exposed, and the safeguards in place prior to the breach. Covered entities and business associates must also provide a brief description of the breach.
HIPAA breaches affecting more than 500 individuals must be notified to OCR within 60 days. Additionally, local media outlets must be notified of the breach along with advice on how individuals can protect themselves from loss or harm in case one or more individuals are not yet aware of the breach. In some states, it may also be necessary to notify State Attorney Generals, who have the authority to pursue financial civil penalties in addition to any penalties imposed by OCR.
Exceptions to the Breach Reporting Requirements
There are some events which, despite being considered a breach of HIPAA, do not need to be reported to either the affected individual(s) or OCR. These are when a workforce member or person acting under the authority of a covered entity or business associate accesses PHI inadvertently or discloses PHI incidental to a permissible use “in good faith”, and the impermissible access or disclosure does not result in further access or disclosure not permitted by the Privacy Rule.
It is also the case that when PHI is impermissibly acquired, accessed, used, or disclosed, but there is a low probability that the privacy of the patient or the security of data has been compromised, covered entities and business associates do not have to report the breach. However, if not reporting a breach, the covered entity or business associate must conduct and document a risk assessment that includes:
- The nature of PHI involved in the breach.
- The likelihood of the PHI being re-used in breach of HIPAA.
- The integrity of the person(s) involved in the event.
- Whether unsecured PHI was actually acquired, accessed, used, or disclosed.
- The extent to which the risks to the patient´s privacy or data security have been mitigated.
One further exception to the breach reporting requirements is when notifications of breaches can be delayed beyond 60 days allowed due to the involvement of law enforcement agencies. This exception is dependent on a covered entity or business associate acquiring documentation demonstrating that a notification within the 60 days allowed may affect the investigation of a crime or represent a threat to national security.