What is a PHI Breach?
By definition, a PHI breach is “the acquisition, access, use, or disclosure of protected health information [by a covered entity or business associate] in a manner not permitted under [the HIPAA Privacy Rule] which compromises the security or privacy of the protected health information.”
When is an Impermissible Use or Disclosure Presumed to be a PHI Breach?
Not every impermissible use or disclosure of protected health information is a PHI breach. Under the Privacy Rule, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate can demonstrate that the probability that the PHI has been compromised is low. This demonstration must be based on a risk assessment consisting of at least the four following elements:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
There are three exceptions to the definition of “breach”:
- The unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
- “Good faith” means without innocently and without ill intent.
- The inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate, to either:
- Another person authorized to access protected health information at the covered entity or business associate, or
- An organized healthcare arrangement in which the covered entity participates.
- The covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
Do Covered Entities Have to Provide PHI Breach Notification?
Similarly to how not all impermissible uses or disclosures are a breach, covered entities and business associates are not required to provide notification (to individuals, to HHS, or to the media, as appropriate) whenever there is a PHI breach.
Rather, covered entities and business associates need only provide the required PHI breach notifications if the PHI breach involves unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of the Department of Health and Human Services guidance.
When Must Breach Notification be Provided?
Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by email if the affected individual has agreed to receive such notices electronically.
If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must, in addition to notifying affected individuals, notify the Secretary of the Department of Health and Human Services of the breach without unreasonable delay, and in no case later than 60 calendar days from the discovery of the breach. Covered entities that experience an unsecured PHI breach affecting more than 500 residents of a State or jurisdiction must, in addition to notifying the affected individuals and HHS, provide notice to prominent media outlets serving the relevant state or jurisdiction. Covered entities can provide this notification in the form of a press release to appropriate media outlets serving the affected area.
If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must, in addition to notifying affected individuals, notify the Secretary of the Department of Health and Human Services within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered).
Do Business Associates Have to Provide PHI Breach Notification?
Following their discovery of a breach, business associates must notify covered entities if an unsecured PHI breach occurs at or by the business associate.
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified (per the timeline above), the covered entity may delegate the responsibility of providing individual notices to the business associate (the covered entity is not required to do this, however).
Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.
Regardless of which entity provides the individual notice, the same deadlines as those stated above for covered entities above apply.
In addition, regardless of who notifies individuals, the business associate, under HIPAA, must provide notice of a breach to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. This notification must be provided, among other reasons, simply so that the covered entity can monitor and track the business associate’s job performance; a BA cannot “hide” a breach from its contract partner, the covered entity.
To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach, as well as any other available information required to be provided by the covered entity in its notification to affected individuals.