AuditXYZ

Lesson 4 of 5

HIPAA Breach Notification: Requirements and Response

10 min readIntermediate

HIPAA Breach Notification

The HIPAA Breach Notification Rule requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI. Understanding breach notification requirements is essential for effective incident response.

What Constitutes a Breach

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates a low probability that PHI was compromised.

The Four-Factor Risk Assessment

When a potential breach occurs, you must conduct a risk assessment considering four factors: the nature and extent of PHI involved, the unauthorized person who used or received the PHI, whether PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. If this assessment demonstrates a low probability of compromise, the incident is not a breach requiring notification.

Notification Requirements

Individual notification must be provided to affected individuals without unreasonable delay, no later than 60 days after discovery. Notification must be in writing, sent by first-class mail or email if the individual has agreed to electronic notice.

HHS notification is required for all breaches. For breaches affecting 500 or more individuals, notification must be provided within 60 days. For smaller breaches, notification can be submitted annually.

Media notification is required when a breach affects 500 or more individuals in a single state or jurisdiction. Notification must be provided to prominent media outlets within 60 days.

Business Associate Obligations

Business associates must notify the covered entity of a breach without unreasonable delay, no later than 60 days after discovery. The business associate agreement should specify breach notification procedures and timelines.

Breach Response Best Practices

Maintain a documented incident response plan that includes HIPAA-specific procedures. Train your workforce to recognize and report potential breaches immediately. Document every step of your investigation and risk assessment. Engage legal counsel early for significant incidents.

In the next lesson, we will cover business associate requirements.