Certified Information Privacy Professional (CIPP): US - HIPAA Breach Notification Rule

What This Is

The HIPAA Breach Notification Rule (45?C.F.R. §§?164.400?414) requires covered entities and their business associates to promptly notify affected individuals, the U.S. Department of Health & Human Services (HHS), and—when a breach affects?500?individuals— the media whenever protected health information (PHI) is “acquired, accessed, used, or disclosed” in a way that is not permitted by the Privacy Rule. It is the “alarm system” that forces health?care organizations to act quickly when a data loss occurs, protecting patients and limiting liability.

Real?world example: A regional hospital’s IT team discovers that a laptop containing unencrypted patient charts was stolen from an employee’s car. Within 24?hours the hospital must assess whether the loss constitutes a breach, then send letters to every patient whose PHI was on the device, file a notice with HHS, and, if the breach involves 500?or more patients, issue a press release.

Key Terms & Provisions

• Covered Entity (HIPAA): Any health?care provider, health?plan, or health?care clearinghouse that transmits PHI electronically. Example: A hospital, a dental practice that bills insurers electronically, or a health?insurance carrier.
• Business Associate (BA): A person or entity that performs a function or service on behalf of a covered entity that involves PHI (e.g., a cloud?hosting provider, billing company). BAs are directly liable under the Breach Notification Rule.
• Protected Health Information (PHI): Individually identifiable health information—medical records, treatment details, payment info—covered by HIPAA.
• Breach: The acquisition, access, use, or disclosure of PHI that is not permitted by the HIPAA Privacy Rule and poses a risk of compromise to the individual.
• Risk of Harm Standard: A breach must be “likely to result in serious adverse consequences” (e.g., identity theft, medical fraud) to trigger notification. Low?risk incidents (e.g., encrypted data loss) may be excluded.
• Notification Timelines:
• Individuals: Without unreasonable delay and no later than 60?days after breach discovery.
• HHS: Within 60?days (electronic submission) for breaches affecting <?500 individuals; no later than 60?days after discovery for all breaches.
• Media: Required only when 500 individuals are affected; notice must be posted within 60?days of discovery.
• Content of Individual Notice: Must include a brief description of the breach, types of PHI involved, steps individuals can take to protect themselves, what the entity is doing to investigate and mitigate, and contact information for a designated privacy officer.
• HHS Breach Reporting Portal (OCR): The Office for Civil Rights (OCR) web portal (https://ocrportal.hhs.gov) where covered entities submit the Breach Report Form (Form 360).
• Corrective Action Plan (CAP): If OCR determines a breach resulted from non?compliance, the entity must develop and implement a CAP outlining remediation steps, training, and monitoring.
• State Notification Laws: Many states (e.g., California, New York) have additional breach?notification requirements that may be more stringent; compliance with both HIPAA and state law is mandatory.

Step?by?Step / Process Flow

1. Detect & Contain – As soon as a potential breach is identified, isolate the affected system/device and preserve evidence (logs, copies of the data).
2. Breach Assessment – Within 48?hours, convene the breach response team to determine: (a) whether PHI was involved, (b) if the incident meets the “risk of harm” threshold, and (c) the number of individuals affected.
3. Notify HHS –
4. If <?500 individuals: submit the breach report via the OCR portal within 60?days.
5. If 500 individuals: submit the same report and simultaneously prepare the media notice.
6. Draft Individual Notices – Create personalized letters (or email where appropriate) that meet the statutory content requirements; send by first?class mail, email, or other reasonable means within 60?days.
7. Media Notice (500) – Publish a clear press release on the entity’s website and, if required, in a widely circulated newspaper of general interest, again within 60?days.
8. Document & Review – Keep a complete breach log, retain all communications for six years, and conduct a post?incident review to update policies, training, and technical safeguards (e.g., encryption).

Common Mistakes

• Mistake: Assuming encryption automatically eliminates the need for any notification.
  Correction: Encrypted PHI is exempt only if the encryption key was not compromised and the encryption meets the NIST standards referenced in 45?C.F.R.?§?164.312(e)(2)(i). If the key is lost or the encryption is weak, a breach still triggers notification.

• Mistake: Waiting until the 60?day deadline to start the notification process.
  Correction: The rule requires “without unreasonable delay.” Early notice (often within days) reduces risk of identity theft and demonstrates good faith, which OCR may consider in enforcement.

• Mistake: Sending a generic “we experienced a data loss” letter that omits required elements (e.g., steps to protect).
  Correction: Use the OCR’s template language; include a description of the breach, types of PHI, recommended protective actions, and a toll?free contact number.

• Mistake: Forgetting to notify state regulators when state law imposes a shorter deadline (e.g., 30?days in Texas).
  Correction: Cross?check the state’s breach?notification statute; the stricter deadline governs.

• Mistake: Assuming a business associate’s breach notice obligations are satisfied by the covered entity’s notice.
  Correction: BAs must provide the same individual notices and report the breach to the covered entity, which then forwards the required HHS notice.

CIPP Exam Insights

1. Scope Distinction: The exam often asks you to differentiate HIPAA Covered Entity vs. Business Associate obligations. Remember: both are directly liable for breach notification, but only the covered entity must notify individuals; the BA must notify the CE.
2. Risk?of?Harm Test: Many questions hinge on whether a breach is “low?risk” (e.g., encrypted data). The key is the encryption status of the PHI at the time of loss.
3. Timeline Traps: Be ready to pick the correct deadline—60?days for individuals and HHS, 30?days for some state laws, and immediate for media when 500 individuals.
4. Media Notice Threshold: A classic exam point: media notice is required only when 500 individuals are affected; otherwise, a “summary” notice to the Secretary of HHS suffices.

Quick Check Questions

1. Scenario: A health?plan’s third?party claims processor loses an unencrypted spreadsheet containing 1,200 members’ names, dates of birth, and claims amounts.
   Answer: The health?plan (covered entity) must notify each affected individual, HHS, and the media within 60?days because the breach involves 500 individuals and the PHI is unencrypted.

2. Scenario: A hospital discovers that a laptop containing encrypted PHI was stolen, but the encryption key is stored on a separate, password?protected server that was not accessed.
   Answer: No breach notification is required because the PHI was encrypted in accordance with NIST standards and the key remained secure, satisfying the “low?risk” exemption.

3. Scenario: A business associate (cloud vendor) experiences a ransomware attack that exfiltrates PHI from a covered entity’s database. The vendor notifies the covered entity on day?2.
   Answer: The covered entity must notify individuals, HHS, and (if 500) the media within 60?days; the BA must also notify the covered entity promptly (within a reasonable time).

Last?Minute Cram Sheet (10 One?Liners)

1. 60?day rule – Individuals, HHS, and media (500) must be notified no later than 60?days after breach discovery.
2. Risk of Harm – Notification triggers only when PHI loss is “likely to result in serious adverse consequences.”
3. Encryption exemption – If PHI is encrypted per NIST standards and the key is uncompromised, no breach notice is required.
4. Media threshold – 500 individuals-media notice; <?500-no media notice.
5. Business Associate duty – BAs must notify the covered entity of a breach immediately (reasonable time).
6. State law overlay – Always check for shorter state deadlines (e.g., 30?days in Texas, 45?days in Nevada).
7. OCR portal – Use https://ocrportal.hhs.gov to file the breach report (Form?360).
8. Corrective Action Plan – Required when OCR finds a HIPAA violation that caused the breach.
9. Retention period – Keep all breach documentation for six years from the date of the incident.
10. HIPAA vs. State – HIPAA provides a baseline; state statutes can be more stringent but never less.

Good luck—remember: the Breach Notification Rule is about speed, accuracy, and transparency. Master the timelines, the risk?of?harm test, and the dual?notification responsibilities, and you’ll be ready for both the exam and real?world incidents.