The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) requires covered entities and business associates to provide notification following a breach of unsecured protected health information. A breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI.
What Constitutes a Breach?
An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following four factors:
- Nature and extent of PHI involved — Including the types of identifiers and the likelihood of re-identification
- The unauthorised person — Who used the PHI or to whom the disclosure was made
- Whether PHI was actually acquired or viewed — As opposed to the opportunity to do so
- Extent of risk mitigation — The extent to which risk to the PHI has been mitigated
Breach Notification Timelines
| Notification To | Threshold | Deadline |
|---|---|---|
| Affected Individuals | All breaches of unsecured PHI | Without unreasonable delay, no later than 60 days after discovery |
| HHS (large breaches) | 500 or more individuals affected | Without unreasonable delay, no later than 60 days after discovery |
| HHS (small breaches) | Fewer than 500 individuals affected | Annual log submitted within 60 days of the end of the calendar year |
| Prominent Media | 500 or more individuals in a state or jurisdiction | Without unreasonable delay, no later than 60 days after discovery |
| Covered Entity (from BA) | All breaches discovered by a business associate | Without unreasonable delay, no later than 60 days after discovery by the BA |
Managing Breaches in Venvera
The Breach Notification module helps you track the full lifecycle of each breach:
- Detected — Breach identified or reported (start of the 60-day clock)
- Risk Assessment — Perform the four-factor risk assessment to determine probability of compromise
- Investigating — Determine scope, affected individuals, and PHI categories involved
- Contained — Immediate measures taken to stop the breach and prevent further exposure
- Notifying — Individual, HHS, and media notifications issued as required
- Resolved — Root cause addressed, remediation complete
- Closed — Post-incident review completed, lessons learned documented
Exceptions to the Breach Definition
Three exceptions exist where an impermissible use or disclosure does not constitute a breach:
- Unintentional access by a workforce member acting in good faith within the scope of authority, with no further impermissible use or disclosure
- Inadvertent disclosure from one authorised person to another at the same covered entity or business associate
- Good faith belief that the unauthorised person would not reasonably be able to retain the information