What is Breach Notification?
What is Breach Notification?
Breach notification is the process of informing affected individuals, regulatory authorities, and in some cases the media when a breach of Protected Health Information (PHI) occurs. Under HIPAA, the Breach Notification Rule (established by the HITECH Act and finalized in the 2013 Omnibus Rule) sets specific requirements for when and how notifications must be made.
What constitutes a breach
Under HIPAA, a breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. There is a presumption that any impermissible use or disclosure is a breach unless the organization can demonstrate a low probability that PHI was compromised based on a four-factor risk assessment:
- Nature and extent of PHI — what types of identifiers and information were involved
- Unauthorized person — who impermissibly used or received the PHI
- Whether PHI was actually acquired or viewed — as opposed to merely being accessible
- Extent of risk mitigation — what steps were taken to reduce the risk of harm
Notification requirements
Individual notification — covered entities must notify each affected individual whose PHI was breached. Notification must be:
- In writing, sent by first-class mail (or email if the individual has agreed to electronic communication)
- Provided without unreasonable delay and no later than 60 days after discovery of the breach
- Inclusive of a description of the breach, types of information involved, steps individuals should take, what the organization is doing in response, and contact information
HHS notification — covered entities must notify the Department of Health and Human Services:
- For breaches affecting 500 or more individuals: notification must occur within 60 days, and these breaches are posted on the HHS "Wall of Shame"
- For breaches affecting fewer than 500 individuals: notification may be submitted annually
Media notification — for breaches affecting 500 or more individuals in a single state or jurisdiction, the covered entity must notify prominent media outlets in that area within 60 days.
Business associate notification — business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery. The covered entity is then responsible for individual, HHS, and media notifications.
Exceptions to breach notification
Three narrow exceptions exist where an impermissible disclosure does not require notification:
- Unintentional access by a workforce member acting in good faith within the scope of their authority
- Inadvertent disclosure between authorized persons within the same organization
- The recipient would not reasonably be able to retain the information
Preparing for breach notification
Organizations should prepare before a breach occurs by:
- Developing a breach response plan — defining roles, responsibilities, and procedures for breach investigation and notification
- Establishing an incident response team — identifying who will lead the response, including legal counsel, communications, IT, and compliance
- Creating notification templates — pre-drafting notification letters that can be customized quickly
- Training workforce members — ensuring employees know how to recognize and report potential breaches
- Maintaining contact information — keeping current contact information for affected individuals
Penalties for failure to notify
Failure to provide timely breach notification can result in additional HIPAA penalties on top of penalties for the underlying breach. The tiered penalty structure applies, with willful neglect to notify carrying the highest fines.
How episki helps
episki provides breach notification workflows that guide your team through the investigation, risk assessment, and notification process. The platform tracks timelines to ensure notifications are made within HIPAA-required deadlines and maintains documentation of all breach-related activities. Learn more on our HIPAA compliance page.
