What is a Breach Notification?

HIPAA was passed in 1996. However, it was not until 2006 that the Department of Health and Human Services (HHS) created the HIPAA Enforcement Rule. The Enforcement Rule authorized the Office for Civil Rights (OCR) to fine non-compliant entities. In 2009, HHS added an additional enforcement rule. Under this rule, the breach notification rule, covered entities and business associates are required to notify individuals and HHS of a breach of unsecured protected health information. What is a breach notification depends on whom the covered entity is required to inform. This, in turn, depends upon the size of the breach. The subject of what is a breach notification is discussed below.

What is a Breach Notification: The Notice Requirements

What is a Breach Notification

The HIPAA breach notification rule requires covered entities, following the discovery of a breach of unsecured PHI, to notify each person whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.

The notification must be in writing, and must be provided without unreasonable delay. The notice must be provided within 60 calendar days after the discovery of a breach.

Let’s Simplify Compliance

Do you need help navigating the breach notification rule and other HIPAA requirements?

Learn More!
HIPAA Seal of Compliance

The key item to focus on when addressing the question of what is a breach notification, is, what kind and level of detail must a breach notification include? The HIPAA breach notification rule requires that a breach notification include five components:

  1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. If a covered entity does not know the date of discovery, and cannot give a reasonable estimate, the covered entity should indicate that it does not know the date of discovery, instead of “guessing” a date.
  2. A description of the types of unsecured protected health information involved in the breach. PHI consists of 18 unique identifiers, which include, among others, date of birth, diagnosis, bank account number, and Social Security number. The notice must list each type of PHI that was exposed by the breach.
  3. Any steps individuals should take to protect themselves from potential harm resulting from the breach. The Federal Trade Commission (FTC) provides suggestions as to how to word this component:
    • If the breach puts people at risk for identity theft or other possible harm, then, according to the FTC, the advice as to steps to take must be relevant to the kind of information that was compromised. Covered entities should consider referring people to the FTC’s identity theft website, www.ftc.gov/idtheft. This resource allows individuals to report and recover from identity theft.
    • If the breach involves health insurance information, the covered entity might suggest that individuals contact their healthcare providers if bills don’t arrive on time, in case an identity thief has changed the billing address. The FTC also advises, in cases where the breach involves health insurance information, that individuals pay attention to the Explanation of Benefit forms from their insurance company to check for irregularities. If an individual discovers an irregularity or error, the individual should contact their health plan to notify the plan of possible medical identity theft or to ask for a new account number.
    • If the breach includes Social Security numbers, the covered entity might suggest that individuals obtain a free copy of their credit report from www.annualcreditreport.com. The covered entity might suggest that individuals monitor the credit report for signs of identity theft, and that individuals place a fraud alert on their credit report. If individuals spot suspicious activity on their credit card accounts, they should contact the local police, and, if appropriate, obtain a credit freeze from their credit card issuers.
    • If the breach includes financial information, such as a credit card or bank account number, the covered entity might suggest that individuals monitor credit card and bank accounts for suspicious activity. Covered entities might also suggest that individuals should contact their financial institutions about closing any accounts that may have been compromised.
  4. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches. Here, the covered entity should describe what steps it has taken, or will soon take, to protect individuals’ PHI from further harm or similar circumstances. Such steps may include the covered entity’s having:
    • Initiated a forensics security investigation;
    • Filed a police report on [list date[;
    • Initiated a criminal investigation;
    • Disciplined employees/providers by suspension/termination of employment/staff privileges;
    • Addressed technology updates or changes triggered by the incident to improv