The HIPAA breach Notification Rule mandates that after a breach of unsecured protected health information, HIPAA covered businesses and their business affiliates must notify affected individuals.
According to section 13407 of the HITECH Act, suppliers of personal health records and their third-party service providers are subject to the same breach notification rules that the Federal Trade Commission (FTC) has implemented and is enforcing.
Definition of Breach
A breach is typically defined as an unauthorized use or disclosure that violates the Privacy Rule and jeopardizes the confidentiality or security of the protected health information. Unless the covered entity or business associate, as applicable, can show that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors, unauthorized use or disclosure of protected health information is presumed to be a breach.
The type of identifiers used and the possibility of reidentification, as well as the volume and nature of the protected health information involved;
The unapproved user of the protected health information or the recipient of the disclosure;
If the protected health information was accessed or actually obtained;
How much the risk to sensitive health information has been reduced.
When a breach notification is necessary after an unauthorized use or disclosure, covered entities and business associates, if appropriate, are free to do so without first conducting a risk analysis to evaluate the likelihood that the protected health information has been compromised.
The term “breach” is subject to three exceptions. The first exemption pertains to the unintended collection, access, or use of protected health information made in good faith and within the bounds of authority by a workforce member, person operating under the authority of a covered entity, or business associate.
The second exception pertains to the unintentional disclosure of protected health information by a person with access to it at a covered entity or business partner to another person with access to it at the covered entity or business partner, or to an organized health care arrangement in which the covered entity is a participant.
In both situations, the data cannot be used or shared in a way that is against the Privacy Rule.
If the covered company or business partner has a good faith opinion that the unauthorized person to whom the improper disclosure was made would not have been able to keep the information, the final exception applies.