HIPAA has specific requirements for reporting breaches of Protected Health Information. How do you identify a breach, and how do you know whether you need to report a breach?

Protected Health Information Asset Management

You should have a list of all places that protected health information resides within your office, your network, and your systems – and any business associates you work with. Ideally, you should also know which records are located where, so that when it does come time for notification, you’re ready. If there is a loss, theft, or attack, you know if that system had PHI on it or not, and can act appropriately. Being able to identify a breach becomes easier when you have all of this information.

What is a Breach?

identify a breach - a hacker's laptop

First, a breach is “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the Privacy Rule] which compromises the security or privacy of the protected health information.” (45 CFR 164.402)

There are 3 statutory exceptions to a breach:

  1. “unintentional acquisition, access or use of protected health information by a workforce member… if it was made in good faith, within the scope of their authority, and does not result in further use or disclosure in a manner not permitted by the Privacy Rule” (Omnibus)
  2. “inadvertent disclosures of protected health information from a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity, business associate..” (Omnibus)
  3. “where a covered entity or a business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.” (Omnibus)

and, what I like to call the “opt-out”: a breach didn’t happen if the information was “secured” using specific technologies and methodologies – ie. encryption or destruction. (13402(h) of the HITECH Act) So, as long as your protected health information is encrypted, and it can’t be decrypted – it’s not a breach if it was stolen.

It’s a “breach”, now what?

The Omnibus ruling has four specific guidelines in a risk assessment that you must address to determine if a breach occurred:

  1. The nature and extent of the PHI. What was the data exposed? How many records were exposed? Was the data copied or merely viewed?
  2. The unauthorized person. Who accessed the data? Was it an employee or was it another patient or an unknown attacker?
  3. Whether the PHI was actually acquired or viewed. Was the data actually accessed? Could the unauthorized person see the data? Was it encrypted or in plain text?
  4. Any risk mitigation in place. What else is in place to protect the data? Was the unauthorized employee under NDA? Is there a confidentiality agreement with the business associate? Is the file password protected (if not encrypted)?

If, after all of these factors are considered, there is a low probability that PHI has been compromised, then it’s not a reportable breach. But the covered entity or business associate is responsible for making that determination.

The Department of HHS will assume it’s a reportable breach, unless and until the covered entity and/or business associate proves otherwise. Of course, there’s a strong incentive for a breach to be “non-reportable” – notifications cost time and money that the entity or business associate does not want to spend. And, without an audit or complaint, no one will ever know that a “breach” occurred and was not reported. Nevertheless, any covered entity or business associate would be well served to maintain records of any risk assessment that occurs. Not notifying HHS of a breach can result in hefty fines and penalties. The ability to accurately and quickly identify a breach is important to avoiding some of those fines.


Covered entities are responsible for notifying affected customers, although they may have contracted the notification to the business associate which caused/identified the breach. Business associates are not required to report a breach to the public, but their contracts with their covered entities will dictate when they need to report a breach, since the covered entity is still responsible for reporting the breach. Check any contracts that are in place between covered entities and business associates for timeframes. Covered entities must report the breach within 60 days of when it should have reasonably been known that the breach occurred.

If you are a business associate, notify your clients/customers as soon as you suspect a breach – even if you’re not sure that it’s a breach. This allows you to work as a team to identify a breach and identify what notifications are required and when.