3.5 Breach Notification and Security Threats

What Counts as a Breach

The Breach Notification Rule (45 CFR 164.400-414, added by HITECH) defines a breach as an unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. Secured PHI — encrypted to NIST standards or properly destroyed — is not subject to the rule (the encryption safe harbor).

An impermissible use or disclosure is presumed to be a breach unless the entity demonstrates a low probability that the PHI was compromised, using a documented four-factor risk assessment:

1. The nature and extent of the PHI (identifiers, sensitivity).
2. The unauthorized person who used it or received it.
3. Whether the PHI was actually acquired or viewed.
4. The extent to which the risk has been mitigated.

Three narrow exceptions are not breaches: (1) certain good-faith, unintentional acquisition or access by a workforce member acting within their authority; (2) inadvertent disclosure between two persons authorized to access PHI at the same entity or organized health care arrangement; and (3) disclosure where the covered entity has a good-faith belief the unauthorized recipient could not reasonably have retained the information (e.g., misdirected mail returned unopened).

A worked example: a nurse opens the wrong patient's chart, immediately realizes the error, closes it, and accesses nothing further — this can fit the good-faith exception. By contrast, the same nurse browsing a co-worker's record out of curiosity is not an exception; it is potential insider snooping and a likely breach. The presumption of breach means the burden of proof is on the covered entity to document the four-factor assessment showing low probability of compromise; if it cannot, it must notify.

Notification Requirements

If a breach of unsecured PHI is confirmed, notification duties depend on the number affected:

Individual notice must be by written, first-class mail (or email if the individual agreed) and must describe what happened, the types of PHI involved, steps individuals should take to protect themselves, what the entity is doing to investigate and mitigate, and contact information. When contact information is insufficient or out of date for 10 or more individuals, the entity must provide substitute notice — a conspicuous website posting for at least 90 days or notice in major print/broadcast media — plus a toll-free number.

A business associate that discovers a breach must notify the covered entity (without unreasonable delay, generally within 60 days), supplying the information the covered entity needs to notify individuals on time. The clock starts on the date the breach is discovered — when it is known, or by exercising reasonable diligence would have been known, to any person (other than the one who committed it) at the entity. (Note: a January 2025 proposed Security Rule update may tighten some timelines, but the standing Breach Notification Rule remains 60 days.)

Penalties, Threats, and Mitigation

HITECH civil monetary penalties scale by culpability across four tiers, each with a per-violation range and an annual cap for identical violations:

1. No knowledge (did not know, reasonable diligence) — lowest tier.
2. Reasonable cause, not willful neglect.
3. Willful neglect — corrected within 30 days.
4. Willful neglect — not corrected — highest penalties.

Willful neglect can also trigger criminal penalties (fines and imprisonment) for knowing wrongful disclosure or sale of PHI.

Common threats RHIT tests:

• Ransomware — malware that encrypts systems for extortion; a ransomware infection of ePHI is presumed a reportable breach. Mitigate with backups, patching, and segmentation.
• Phishing — deceptive emails harvesting credentials. Mitigate with training and multi-factor authentication.
• Insider snooping — staff viewing records (e.g., a celebrity or co-worker) without a job need. Detect via audit-log review and enforce the sanction policy.

Beyond these, lost or stolen unencrypted devices remain one of the most common breach causes, which is why encryption earns the safe harbor, and improper disposal of paper or media (dumpster incidents) repeatedly draws penalties. Business associate failures — a vendor breach the covered entity is still accountable for — are another recurring pattern.

Layered mitigation — least-privilege/RBAC, encryption, audit-log review, workforce training, multi-factor authentication, tested backups, and a written incident-response plan — both prevents breaches and lowers penalty exposure by demonstrating good-faith diligence. Because penalties scale with culpability, an entity that finds, documents, reports, and corrects an issue promptly lands in a far lower tier than one that ignored a known risk.

For RHIT scenarios, the right answer usually pairs detection (audit controls) with response (sanctions, notification, mitigation) rather than a single technical fix. Remember the breach-response sequence: discover, contain and mitigate, conduct the four-factor risk assessment, notify (individuals, HHS, and media as thresholds require), and document everything for the six-year retention period and potential OCR review.