4.4 Breach Notification Rule
Key Takeaways
- A breach is the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy.
- An impermissible use or disclosure is presumed to be a breach unless a four-factor risk assessment shows a low probability that the PHI was compromised.
- Covered Entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach.
- Breaches affecting 500 or more individuals require notice to HHS without unreasonable delay and no later than 60 days, plus media notice when 500 or more are in one state or jurisdiction; smaller breaches go on an annual log submitted within 60 days after year-end.
- A Business Associate must notify the Covered Entity of a breach without unreasonable delay and no later than 60 days after discovery.
What Counts as a Breach
Under the Breach Notification Rule, a breach is the acquisition, access, use, or disclosure of PHI in a way the Privacy Rule does not permit, when that act compromises the security or privacy of the information. The rule applies only to unsecured PHI — PHI not rendered unusable, unreadable, or indecipherable through methods such as encryption or proper destruction. Properly encrypted PHI that is lost is generally not a reportable breach.
The Four-Factor Risk Assessment
An impermissible use or disclosure of PHI is presumed to be a breach unless the Covered Entity or Business Associate demonstrates a low probability that the PHI has been compromised based on a risk assessment of at least four factors:
| Factor | Question to Assess |
|---|---|
| 1. Nature and extent of PHI | What types of identifiers and clinical detail were involved, and how sensitive are they? |
| 2. Who used it or received it | Did an unauthorized person obtain it, and is that person obligated to protect PHI? |
| 3. Was PHI actually acquired or viewed | Was the information truly accessed, or only potentially exposed? |
| 4. Extent of risk mitigation | Has the risk been reduced, for example by retrieval or a confidentiality assurance? |
Three narrow exceptions also exist (good-faith unintentional access by workforce, inadvertent disclosure between authorized people at the same entity, and a disclosure the recipient could not reasonably have retained).
Notification Timelines
Breach of unsecured PHI discovered
|
+-------------------+
| How many people |
| affected? |
+-------------------+
| |
< 500 >= 500
| |
Notify individuals Notify individuals
within 60 days within 60 days
| |
Log the breach; Notify HHS without
report to HHS in unreasonable delay,
the annual log no later than 60 days
within 60 days |
after year-end Notify media if 500+
in one state/jurisdiction
Individual Notice
Affected individuals must be notified in writing without unreasonable delay and no later than 60 calendar days after the breach is discovered. The notice describes what happened, the PHI involved, steps individuals can take, and what the entity is doing.
Notice to HHS
- 500 or more individuals: notify the HHS Secretary without unreasonable delay and no later than 60 days after discovery — contemporaneously with individual notice.
- Fewer than 500 individuals: log the breach and report it to HHS in an annual submission within 60 days after the end of the calendar year.
Media Notice
If a breach affects 500 or more residents of a single state or jurisdiction, the entity must also notify prominent media outlets serving that area, within the same 60-day window.
Business Associate Obligations
When a Business Associate discovers a breach, it must notify the Covered Entity without unreasonable delay and no later than 60 days after discovery. The Covered Entity is then responsible for notifying individuals, HHS, and the media as required. BAAs often shorten the BA's reporting window so the CE can still meet its own 60-day deadline.
A billing company (a Business Associate) discovers that an unencrypted laptop containing 1,800 patients' claim data was stolen. The patients are spread across one state. Which notification path is correct?
A practice has an impermissible disclosure affecting 40 individuals and cannot demonstrate a low probability of compromise. How must it report this to HHS?