In the event of a breach, the HIPAA Breach Notification Rule requires covered entities and their business associates to promptly inform individuals and the Department of Health and Human Services (HHS).
However, there are HIPAA breach exceptions that do not require notifications to the HHS or the individuals affected. This article explains the exceptions to a HIPAA breach that healthcare providers and other covered entities should know.
Table of Contents
What Constitutes a HIPAA Breach?
A HIPAA breach involves an impermissible use or disclosure under the Privacy Rule that jeopardizes the security and privacy of PHI. Unless a covered entity or business associate can demonstrate a low probability of PHI compromise, such incidents are presumed to be breaches.
A comprehensive risk assessment helps determine whether a breach has occurred. It considers the nature and extent of the protected health information involved, the likelihood of re-identification, the unauthorized person involved, the type of information accessed, and the scope of risk mitigation measures undertaken. While entities can exercise discretion in notifying affected parties, performing a risk assessment is essential in determining the need for a breach notification.
Exceptions to HIPAA Breach Notification
According to the Breach Notification Rule, there are three exceptions to a HIPAA breach notification:
1. Unintentional acquisition, access, or use
In situations where a workforce member or an individual acting under a covered entity’s or business associate’s authority inadvertently acquires, accesses, or uses PHI in good faith and within their authorized scope, a breach notification might not be required. The critical caveat is that the information must not be further used or disclosed in violation of the Privacy Rule.
2. Inadvertent disclosure by authorized persons
Another exception considers the unintentional disclosure of PHI between authorized individuals within the same covered entity, business associate, or organized healthcare arrangement. If the disclosed information remains within authorized channels and is not improperly used or shared, it may not necessitate breach notifications.
3. Good Faith Belief of Unauthorized Retention
If a covered entity or business associate reasonably believes that the unauthorized PHI recipient would not have been able to retain the information, breach notification requirements may be waived.
Permitted Uses and Disclosures Under HIPAA
The HHS delineates instances where healthcare providers can share PHI without explicit patient consent. Under HIPAA, healthcare providers can share PHI with one another for treatment purposes, even without prior patient authorization. A covered entity (CE) can also disclose PHI to another covered entity or its business associate for specific healthcare operations activities, even without patient consent.
However, before a CE can share PHI with another CE, they must fulfill three requirements:
- Both should have a relationship with the patient
- The PHI requested must pertain to the relationship
- The discloser must only provide the minimum information necessary for the procedure or operation
HIPAA Breach Notification Requirements
If the suspected HIPAA breach doesn’t fall under the exceptions and permitted uses and disclosures discussed above, healthcare providers should follow HIPAA breach notification requirements. Under HIPAA, covered entities (CEs) and their business associates (BAs) should follow the rules for notifying people, regulators, and sometimes the media.
CEs must inform affected individuals within 60 days upon discovering the breach. They can use letters or emails, especially if the person agrees to electronic notices. If contact details for ten or more people are outdated, alternative methods like posting on their website or using local media can be used.
Covered entities could post the notice on their website’s homepage for at least 90 days or use mainstream print or broadcast media where the affected individuals reside. A toll-free phone number must also be included for inquiries and should remain active for at least 90 days. If fewer than ten people have wrong contact information, other ways like written letters or calls are acceptable.
If over 500 people in a state or jurisdiction are affected, CEs must also tell the media in that area. Information dissemination can be done through a press release. And like individual notices, CEs should send media notifications within 60 days of breach discovery.
CEs must also tell the Secretary about breaches through a form on the HHS website. For major breaches (500+ people), they must do this quickly and within 60 days. A once-a-year notification is acceptable for more minor breaches, but reports are due within 60 days after the year ends.
Notification by a business associate
If a business associate is responsible for the breach, they must also inform the covered entity. The notification should be given within 60 days upon discovering the breach.
Rules and proof
Covered entities and their business associates must display adherence to the HIPAA rules or prove that the PHI use wasn’t a breach.
Understanding Breach Exceptions in HIPAA
The Breach Notification Rule underscores the need for healthcare providers to remain vigilant against privacy threats. However, some instances may not warrant immediate notifications. These exceptions provide essential guidelines for determining when and how to report breaches. Understanding them can help covered entities and business associates make accurate decisions, mitigate potential harm, and prevent disruptions to health care operations.