6.2 Breach Protocols from Report to Resolution

Treat Suspected Breaches as Managed Events

A breach under HIPAA is the acquisition, access, use, or disclosure of unsecured protected health information (PHI) in a manner not permitted by the Privacy Rule that compromises its security or privacy. The Breach Notification Rule sets hard deadlines the RHIA exam loves to test: affected individuals must be notified without unreasonable delay and no later than 60 calendar days after discovery. If a breach affects 500 or more individuals, the covered entity must also notify the HHS Office for Civil Rights (OCR) within 60 days and notify prominent media serving the state or jurisdiction within 60 days.

Breaches affecting fewer than 500 individuals are logged and reported to HHS within 60 days after the end of the calendar year.

The 2013 Omnibus Rule changed the analysis: an impermissible use or disclosure is presumed to be a reportable breach unless the entity documents a four-factor risk assessment showing a low probability that PHI was compromised. The four factors are (1) the nature and extent of the PHI, including identifiers and likelihood of re-identification; (2) the unauthorized person who used or received it; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which risk has been mitigated.

Three exceptions can avoid breach status entirely: good-faith unintentional access by workforce, inadvertent disclosure between authorized workforce members, and disclosure to a recipient who could not reasonably have retained the information.

The first operational rule is that a suspected breach is reported through policy, never quietly fixed. A staff member who misdirects a fax, opens the wrong record, loses a paper packet, or spots unusual access in an audit log must not clean it up and move on — informal cleanup destroys evidence and can blow the 60-day clock.

Breach Protocol Do and Do Not List

• Do report suspected incidents immediately through the official path so the 60-day clock is managed.
• Do preserve audit logs, request records, release packages, emails, envelopes, and transmission receipts.
• Do contain further exposure before routine processing resumes.
• Do document the four-factor risk assessment, even when the conclusion is “no notification required.”
• Do not rely on hallway opinions or memory as the only evidence.
• Do not alter records, logs, or correspondence to make the event look cleaner.
• Do not promise patients an outcome before the designated team finishes review.

Worked scenario: an unencrypted laptop holding 1,200 patients' records is stolen. Encryption would have made the PHI “secured” and exempt; because it was unencrypted, this is presumptively a breach. Because it exceeds 500 individuals, the entity must notify each individual, OCR, and prominent media within 60 days. The exam answer that says “wait to see if anyone complains” is wrong on its face.

When a question asks for the first action, choose report-contain-preserve. When it asks for the management action after repeated incidents, choose root-cause correction — retraining, workflow redesign, stronger verification, system configuration, encryption, vendor review, or audit monitoring — because repeated misdirected faxes prove a system weakness, not a string of unrelated accidents.

Content of the Notice, Business-Associate Duties, and Civil Penalties

The individual notice itself has required content that the exam may test: a brief description of what happened and the date of the breach and discovery; the types of information involved; steps individuals should take to protect themselves; what the entity is doing to investigate, mitigate, and prevent recurrence; and contact procedures. Notice goes by first-class mail (or email if the patient agreed), and if contact information is insufficient for 10 or more individuals, the entity must post a substitute notice on its website for 90 days or use major media.

Business associates add a layer. When a vendor that creates, receives, maintains, or transmits PHI suffers a breach, it must notify the covered entity, generally within 60 days of discovery, and the business associate agreement (BAA) should specify the timeline and the facts the vendor must supply. The covered entity, not the vendor, usually issues notices to individuals, so HIM and privacy must obtain the affected-patient list quickly to protect the 60-day clock.

The stakes are concrete. HIPAA civil monetary penalties run on a tiered structure based on culpability — from “did not know” at the lowest tier up to “willful neglect, not corrected” at the highest — with substantial per-violation amounts and large annual caps. OCR also publishes large breaches on its public “wall of shame.” These consequences are why the exam rewards disciplined evidence and timely notification over informal cleanup.

Knowing these rows cold lets you eliminate distractor answers quickly, because most wrong options either omit a required recipient or invent a deadline that does not exist.