3.2 HIPAA Security Rule and Breach Notification
Key Takeaways
- The HIPAA Security Rule applies specifically to electronic Protected Health Information (ePHI) and requires administrative, physical, and technical safeguards
- Administrative safeguards include security management, workforce training, contingency plans, and security incident procedures
- Physical safeguards include facility access controls, workstation security, and device/media controls
- Technical safeguards include access controls, audit controls, integrity controls, and transmission security (encryption)
- A breach is the unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy
- Individuals must be notified within 60 days of discovering a breach; breaches affecting 500+ individuals require notification to HHS and media
- HITECH Act increased HIPAA penalties and extended requirements to business associates directly
Last updated: March 2026
HIPAA Security Rule and Breach Notification
While the Privacy Rule covers PHI in all forms, the Security Rule focuses specifically on electronic PHI (ePHI). The Security Rule requires covered entities and business associates to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI.
Three Categories of Security Safeguards
Administrative Safeguards
Administrative safeguards are the policies, procedures, and actions to manage the security of ePHI:
| Safeguard | Description | CMAA Relevance |
|---|---|---|
| Security management | Risk analysis and risk management processes | Office must conduct regular risk assessments |
| Workforce security | Procedures to ensure proper ePHI access based on role | CMAAs access only what they need for their job |
| Information access management | Policies for granting, modifying, and revoking access | New employees get role-based access; terminated employees have access immediately revoked |
| Security awareness training | Regular training on security threats and policies | All staff, including CMAAs, must complete HIPAA training |
| Security incident procedures | Policies for identifying, reporting, and responding to security incidents | Know how to report a suspected breach |
| Contingency plan | Data backup, disaster recovery, and emergency mode operations | Plans for system failures, natural disasters |
| Business associate agreements | Written contracts with all business associates | Ensure BAAs are in place before sharing ePHI |
Physical Safeguards
Physical safeguards protect the physical environment where ePHI is accessed or stored:
| Safeguard | Description | CMAA Relevance |
|---|---|---|
| Facility access controls | Procedures to limit physical access to ePHI systems | Locked doors, key cards, visitor logs |
| Workstation use | Policies for appropriate use of workstations | Screens face away from public areas; clean desk policy |
| Workstation security | Physical safeguards for workstations | Privacy screens, automatic screen locks, cable locks |
| Device and media controls | Policies for hardware and electronic media disposal | Hard drives must be wiped or destroyed; flash drives encrypted |
Technical Safeguards
Technical safeguards are the technology and policies that protect ePHI:
| Safeguard | Description | CMAA Relevance |
|---|---|---|
| Access controls | Unique user IDs, emergency access, automatic logoff, encryption | Each CMAA has a unique login; share passwords NEVER |
| Audit controls | Hardware, software, and procedures to record and examine access | System tracks who accessed what records and when |
| Integrity controls | Measures to ensure ePHI is not improperly altered or destroyed | Data validation, version control, checksums |
| Person or entity authentication | Verifying the identity of anyone seeking access to ePHI | Passwords, PINs, biometrics, tokens |
| Transmission security | Protecting ePHI during electronic transmission | Encryption for emails, secure portals, VPN connections |
CMAA Security Best Practices
| Practice | Why It Matters |
|---|---|
| Use a unique login | Never share your login credentials with anyone — your access is tracked |
| Create strong passwords | Minimum 8 characters with uppercase, lowercase, numbers, and symbols; change regularly |
| Lock your workstation | Press Ctrl+L (Windows) or Cmd+Ctrl+Q (Mac) every time you step away |
| Position monitors | Ensure patient information on screens is not visible to unauthorized individuals |
| Secure paper PHI | Lock filing cabinets, shred documents before disposal |
| Verify before sending | Double-check fax numbers and email addresses before sending PHI |
| Report incidents | Immediately report any suspected security incident to your supervisor or privacy officer |
Breach Notification Rule
What Constitutes a Breach?
A breach is the unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. The key question is whether the breach poses a significant risk of financial, reputational, or other harm to the individual.
Breach Notification Requirements
| Breach Size | Notification Requirements | Timeline |
|---|---|---|
| Fewer than 500 individuals | Notify affected individuals in writing | Within 60 days of discovery |
| 500 or more individuals | Notify individuals, HHS, and prominent local media | Within 60 days of discovery |
| Annual log | Breaches affecting fewer than 500 must be logged and reported to HHS annually | Within 60 days of the end of the calendar year |
Exceptions (Not Considered Breaches)
| Exception | Example |
|---|---|
| Unintentional acquisition | An employee accidentally accesses the wrong record and immediately closes it |
| Inadvertent disclosure within the organization | A provider shares PHI with another employee who is authorized to access it |
| Good faith belief | The covered entity had a good faith belief that the unauthorized person could not retain the information |
HITECH Act (2009)
The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened HIPAA enforcement:
| Enhancement | Details |
|---|---|
| Extended to business associates | Business associates are now directly liable for HIPAA compliance |
| Increased penalties | Tiered penalty structure from $100 to $50,000 per violation, up to $1.5 million per year per violation category |
| Breach notification | Established the Breach Notification Rule |
| EHR incentives | Provided financial incentives for meaningful use of electronic health records |
| Patient rights | Strengthened patient right to electronic copies and self-pay restrictions |
HIPAA Penalty Tiers
| Tier | Knowledge Level | Penalty Per Violation | Annual Maximum |
|---|---|---|---|
| Tier 1 | Did not know (and could not have known) | $100 – $50,000 | $25,000 |
| Tier 2 | Reasonable cause (not willful neglect) | $1,000 – $50,000 | $100,000 |
| Tier 3 | Willful neglect — corrected within 30 days | $10,000 – $50,000 | $250,000 |
| Tier 4 | Willful neglect — NOT corrected | $50,000 | $1,500,000 |
Test Your Knowledge
A CMAA accidentally sends a fax containing patient lab results to the wrong number. The fax was received by a non-healthcare entity. What should the CMAA do FIRST?
A
B
C
D
Test Your Knowledge
Which HIPAA safeguard category includes unique user IDs, automatic logoff, and encryption?
A
B
C
D
Test Your Knowledge
Under the HIPAA Breach Notification Rule, how soon must affected individuals be notified after a breach is discovered?
A
B
C
D