HIPAA Breach Notification Rule

HIPAA Breach Notification Rule was enacted in 2009 as part of the HITECH Act. Upon discovery of a Breach of “Unsecured” PHI, covered entities, and their business associates as applicable, MUST make the proper notifications in accordance with HITECH, federal or state notification laws. The Omnibus 2013 Final Rule adopted much of the interim rule, however, there are some variations between the interim rule and the final rule.

A significant change is that all impermissible uses or disclosures of PHI are “presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” – Omnibus Final Rule page 306

Additionally, the focus has been changed from the “harm” standard to “the risk that the PHI has been compromised”. As such, IF the risk assessment demonstrates a low probability of PHI being compromised, then a breach notification is no longer required.

Penalties for breaches depend on several factors including the severity of the breach. For both privacy and security violations, they range from civil penalties of $100 per violation to criminal penalties of up to $1,500,000.00 per identical violation and/or 10 years imprisonment for knowing or willful disclosure or misuse of information. This penalty cap applies to even those who “did not know” the breach was taking place, UNLESS they correct the violation within 30 days from the “first date the person liable for the penalty knew, or by exercising reasonable diligence would have known”.

Due to numerous questions regarding the ‘fairness’ of issuing penalties when the entity did not know, the Omnibus Rule included clarification on this matter. The following affirmative defenses have been added:

Also included in the 30 day time for corrections is the provision “or during a period determined appropriate by the Secretary based upon the nature and extent of the entity’s failure to comply.”

  • Penalties may be waived if the Secretary of HHS deems that it would be excessive given the specific situation.
  • Providers who believe the amount is unfair have the right to appeal the decision.

What is a Breach?

A breach is the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of such information.

The Omnibus Rule revised two of the three exceptions to the definition of breach. They are now:

All-in-One HIPAA Compliance
and Risk Management Solution


  1. Good faith belief that the unauthorized individual, to whom the disclosure was made would not have been able to retain the information; or
  2. Unintentional acquisition, access, or use of PHI by workforce member acting under the authority of the covered entity or business associate as long as it is within their scope of authority and is not further used or disclosed; or
  3. The inadvertent disclosure of PHI from person authorized to access PHI to another person also authorized to access PHI which is not further used or disclosed.

The other important factor to consider is the phrase “unsecured protected health information”. If the PHI was secured in accordance with approved HITECH technology or methodologies, then breach notification does not need to take place.

Why HIPAA Compliance Training is Important

By |October 21st, 2015|Categories: HIPAA Training|

Why HIPAA Compliance Training is Important HIPAA Compliance is an ongoing process and one of the most important aspects of it is making sure that your staff members participate in compliance training and awareness [...]

Comments Off on Why HIPAA Compliance Training is Important

HIPAA Rules: Back to the Basics

By |October 7th, 2015|Categories: HIPAA Privacy|

HIPAA Rules: Back to the Basics The Health Insurance Portability and Accountability Act (HIPAA) is a complex piece of legislation that has undergone many additions and revisions since it was signed into law in [...]

Comments Off on HIPAA Rules: Back to the Basics

HIPAA Privacy Rule: Reviewing the Fundamentals

By |October 7th, 2015|Categories: HIPAA Compliance Requirements, HIPAA Privacy, Notice of Privacy Practices|

HIPPA Privacy Rule: Reviewing the Fundamentals Almost 20 years ago, the Health Insurance Portability and Accountability Act was signed into law to provide for the continuity of individuals’ health insurance coverage and to increase [...]

Comments Off on HIPAA Privacy Rule: Reviewing the Fundamentals