‍

The Health Insurance Portability and Accountability Act (HIPAA) is a federal regulation that was implemented in 1996 and is overseen by the U.S. Department of Health and Human Services (HHS). Its main purpose is to ensure that patients’ private health information cannot be disclosed or shared without their consent.

‍

Since its introduction, HIPAA has evolved. Additional provisions, known as Rules, were created to outline more specific aspects of handling protected health information (PHI), such as the Security Rule and the Privacy Rule.

‍

One more significant Rule is the Breach Notification Rule. While other HIPAA rules emphasize precautions and safeguards to prevent incidents, this one is reactive and primarily focuses on what organizations must do after a breach has happened.

‍

In this guide, we’ll break down everything you need to know about the Breach Notification Rule by covering the following:

‍

• What the Breach Notification Rule is
• What constitutes a breach
• Who needs to comply
• Compliance requirements

‍

What is the HIPAA Breach Notification Rule?

The Breach Notification Rule was introduced and put into force in 2009 as part of the HITECH Act, which strengthened HIPAA’s Security and Privacy provisions. The Rule defines what constitutes a breach, how to assess risk if one occurs, and the timeline for reporting it.

‍

The Rule focuses on breaches involving PHI, which refers to any individually identifiable information that a covered entity (CE) or business associate (BA) creates, stores, or transmits in connection with healthcare services or payment.

‍

Since its introduction, the Rule hasn’t changed much, apart from several clarifications it received in the 2013 HIPAA Omnibus Rule, such as:

‍

• Expanded criteria for what constitutes a breach
• Extended breach reporting obligations to subcontractors of BAs

‍

{{cta_withimage13="/cta-blocks"}}   | HIPAA compliance checklist

‍

What constitutes a breach?

Under the Breach Notification Rule, a breach is any impermissible use or disclosure of unsecured PHI that may affect its security or privacy. 

‍

Unsecured PHI is any PHI that hasn’t been made unusable, unreadable, or indecipherable to unauthorized individuals through the following methods outlined by the HHS:

‍

• Encryption that meets standards prescribed by NIST 800-111 for data at rest or NIST 800-52 for data in transit
• Destruction or purging of physical media so that the PHI cannot be reconstructed or accessed (note that the HHS specifies that simply redacting information is not considered a valid method)

‍

If you suspect a breach has occurred, you must conduct a risk assessment to determine whether any PHI has been compromised. This evaluation should consider at least the following four factors:

‍

1. The nature and the extent of the involved PHI, including identifiers and the likelihood of re-identification
2. Who accessed the information, and to whom it was disclosed
3. Whether the PHI has been accessed or viewed
4. The degree to which the risk to PHI was mitigated

‍

If the risk assessment shows that there is a low chance that PHI was compromised, the incident isn’t considered a breach.

‍

There are three exceptions to what constitutes a breach:

‍

1. Unintentional access by an authorized individual, such as an employee accessing PHI in good faith and within authority, without misusing it
2. Inadvertent disclosure between authorized individuals, where both are part of the same entity and have authorization
3. Disclosure to an unauthorized person who does not retain or use the information, based on a good faith belief that the information cannot be further used or disclosed

‍

“

The most common PHI security failure is not conducting a risk assessment to detect workflow failures that may include unauthorized access to healthcare records. Organizations should also regularly audit encryption protocols used for email communication and sharing.”

‍

Jill Henriques

GRC Subject Matter Expert, GTM, Vanta

|

LinkedIn

‍

Who needs to comply?

The Breach Notification Rule applies to all covered entities, such as health plans, healthcare clearinghouses, and healthcare providers, as part of full HIPAA compliance. 

‍

The 2013 Omnibus Rule update expanded this requirement to business associates—entities that handle PHI on behalf of covered entities, such as IT providers and billing services.

‍

BA’s reporting obligations are slightly different than those of covered entities. If a BA experiences a breach involving unsecured PHI, they must notify the covered entity within 60 days of discovery. 

‍

These requirements can be adjusted in a business associate agreement (BAA). For example, a covered entity may specify a shorter notification timeline or fully delegate reporting responsibilities to the BA.

‍

It’s also important to note that both the covered entity and the business associate must keep thorough documentation as proof that they’ve adhered to the Rule’s requirements. This includes records of any risk assessments performed to determine if a breach happened, as well as evidence that breach notifications were sent. Failure to comply with this requirement constitutes a HIPAA violation.

‍

The Breach Notification Rule is enforced by the HHS Office for Civil Rights (OCR). Depending on the severity of the violation and the OCR’s assessment, consequences may include non-punitive action, financial penalties, or criminal charges.

‍

{{cta_withimage39="/cta-blocks"}} | The Healthcare compliance checklist

‍

Breach Notification Rule compliance requirements

If your organization experiences a breach, you’ll have to issue several notices depending on whether you are a covered entity or business associate, the amount of information and the number of individuals affected. Notices may include:

‍

1. Notifying the covered entity (if you are a business associate)
2. Notifying affected individuals
3. Informing the HHS Secretary
4. Issuing a media notice

‍

We’ll cover the specific criteria, reporting procedures, and what the notices should contain in the sections below.

‍

1. Notifying the covered entity

Business associates that discover a breach involving unsecured PHI must notify the covered entity within 60 days of discovery.

‍

2. Notifying affected individuals

Covered entities that discover a breach involving unsecured PHI must notify all affected individuals within 60 days of discovery. This notification can be sent either by physical first-class mail or by email (if the entity has permission from the individual).

‍

These notices must be written in plain language and explain:

‍

• Information about the breach
• A description of impacted PHI
• An explanation of the steps the covered entity is taking to mitigate harm
• A summary of the steps the covered entity will take to prevent future breaches
• Steps individuals can take to minimize potential harm

‍

If the covered entity has outdated information for 10 or more affected individuals, it must take additional steps to notify them, such as:

‍

• Posting a notice on its homepage for at least 90 days
• Providing a notice to major print and broadcasting media in the area where the affected individuals most likely live

‍

Covered entities should also set up a toll-free telephone line so individuals can call to find out if they were affected by the breach and get more information.

‍

If the breach happens through a BA, the covered entity may delegate notification duty depending on who has a relationship with the affected individuals and the services the BA provides.

‍

3. Informing the HHS Secretary

In addition to notifying affected individuals, covered entities must also report breaches involving unsecured PHI to the HHS Secretary by filling out a breach report form through the HHS breach reporting portal.

‍

Reporting timelines depend on how many individuals were affected by the breach:

‍

• If more than 500 individuals were affected, covered entities must notify the Secretary within 60 days of discovery, without unreasonable delay. These breaches are publicly listed on the HHS breach portal.
• If fewer than 500 individuals were affected, entities must send a notice to the Secretary within 60 days of the end of the calendar year when the breach happened, though reporting it early is allowed. Although entities can submit all reports for a single year simultaneously, they must file separate notices for each incident.

‍

4. Media notice

When a breach affects more than 500 individuals in a state or jurisdiction, the covered entity must also issue a media notice to prominent local outlets, in addition to informing affected individuals and the HHS.

‍

This requirement is particularly significant because entities may not have up-to-date contact information about all affected individuals. A media notice also has a broader reach—with it, covered entities can ensure that the maximum possible number of impacted individuals are made aware of their PHI being exposed.

‍

The most common method of issuing this notice is through a press release to appropriate media outlets. 

‍

As with individual notices, covered entities should send a media notice within 60 days of discovering the breach and include the same key details. Note that a media notice does not replace individual notices.

‍

{{cta_withimage13="/cta-blocks"}}   | HIPAA compliance checklist

‍

Potential compliance challenges

The Breach Notification Rule requires covered entities to identify, assess, and report breaches within strict deadlines, but it doesn’t specify how to track or manage these tasks. This can make achieving compliance challenging, especially for smaller and resource-constrained organizations.

‍

Meeting these tight timelines requires intense workflows, including determining whether a breach occurred, continuously monitoring for incidents, and preparing thorough documentation as proof of compliance.

‍

Handling these tasks manually can put significant pressure on teams, introducing potential risks of oversights, delays, and other inefficiencies. Organizations may also struggle to identify the complexity and scope of a data breach within the required time frame. You can mitigate this risk by implementing a dedicated compliance solution that can automate a large part of the process.

‍

Achieve HIPAA compliance with Vanta

Vanta is an end-to-end trust management platform that streamlines your path to HIPAA compliance by providing guidance and resources across documentation, policy templates, and pre-built technical controls. Vanta also saves you time and resources by automating up to 85% of all necessary HIPAA workflows.

‍

The platform offers a dedicated HIPAA product that includes various helpful features, such as:

‍

• Ready-to-use templates for 20+ documents
• An in-app editor for policy templates
• A unified dashboard to track all your HIPAA controls
• A built-in guidance and training solution
• Automated evidence collection powered by 375+ integrations

‍

If you’ve achieved compliance with other relevant frameworks such as SOC 2 or ISO 27001, Vanta can cross-map your existing controls to HIPAA’s requirements, eliminating duplicative work and speeding up HIPAA compliance further.

‍

To support your HIPAA compliance efforts, Vanta also offers training videos developed in-house by our security and compliance experts. These cover key HIPAA topics relevant to breach management and compliance, including:

‍

• Reporting potential incidents
• HIPAA violations and consequences
• Security best practices
• Protecting patient data and sensitive information
• Verification and confirming authorization

‍

Schedule a custom demo to explore Vanta’s features and see firsthand how they can streamline your HIPAA compliance efforts.

‍

{{cta_simple18="/cta-blocks"}}  | HIPAA product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

‍