Insight

Breach Under HIPAA May Have Occurred: Am I Required to Notify?

Sherrard Roe Voigt & Harbison Blog

Cornell H. Kennedy

Cornell H. Kennedy

December 13, 2024 05:43 PM

Breach Under HIPAA May Have Occurred: Am I Required to Notify?

September 25, 2014 | Sherrard Roe Voigt & Harbison Blog I Cornell H. Kennedy

As you may know, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) imposes standards for the use and disclosure of protected health information (“PHI”) through its privacy rule (“Privacy Rule”) and imposes standards for the protection of electronic PHI through its security rule (“Security Rule”). As of September 2009, entities covered by HIPAA, including health plans and health care providers (“covered entities”), must notify individuals when their “unsecured” PHI (PHI that is unencrypted) has been breached.

A breach exists if there is an acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule, and such action compromises the security or privacy of the PHI.

The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) includes three exceptions to the definition of “breach,” which include situations where a violation of the Privacy Rule has occurred, but the violation is not to be considered a breach. Those include:

  1. A breach excludes any unintentional acquisition, access or use of PHI by a workforce member (including volunteer or trainee) or person acting under the authority of a covered entity or business associate, if the acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the Privacy Rule.
  2. A breach excludes inadvertent disclosures of PHI from a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate or organized health care arrangement in which the covered entity participates.
  3. Also exempted are disclosures of PHI where a covered entity or a business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

If it is established that the acquisition, access, use or disclosure of PHI violates the Privacy Rule, and that the breach does not meet any of the three regulatory exceptions, a breach is presumed unless, through a risk assessment, the covered entity determines that there is a Low Probability that the data has been Compromised (“LoProCo”). To make this determination, the U.S. Department of Health and Human Services (“HHS”) provides that covered entities and business associates must conduct a risk assessment, taking into consideration, among other things, the following factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. Who was the unauthorized person who received or accessed the PHI;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

For example, assume that a hospital sends a fax with patient medical information to the wrong fax number outside of the hospital. In performing this analysis, the covered entity should:

  1. Determine whether the PHI – the medical information – identifies the patient, which it is likely it does;
  2. Consider who received the fax. Was it sent to another covered entity that also has confidentiality requirements, which would be viewed as favorable? Or was it sent to a local business that does not have confidentiality requirements?;
  3. Determine whether or not the PHI was actually acquired or viewed or whether there was an opportunity for the PHI to be acquired or viewed. The probability of compromise is lower if only the opportunity existed for the PHI to be acquired or viewed but the PHI was not actually acquired or viewed. However, the covered entity should presumed that the fax was viewed unless further information provides that there was no opportunity to view or acquire the information and;
  4. Mitigate the breach by requesting that the recipient either return or destroy the information.

If the covered entity makes the determination through an in-depth LoProCo analysis that the breach of the PHI does not pose a significant risk of financial, reputational or other harm to the individual, then no breach notification is required. As matter of prudent business practice, the covered entity should always document their risk assessments in order to demonstrate, if necessary, that no breach notification was required.

Trending Articles

Discover The Best Lawyers in Spain 2025 Edition


by Jennifer Verta

Highlighting Spain’s leading legal professionals and rising talents.

Flags of Spain, representing Best Lawyers country

Unveiling the 2025 Best Lawyers Editions in Brazil, Mexico, Portugal and South Africa


by Jennifer Verta

Best Lawyers celebrates the finest in law, reaffirming its commitment to the global legal community.

Flags of Brazil, Mexico, Portugal and South Africa, representing Best Lawyers countries

Presenting the 2025 Best Lawyers Editions in Chile, Colombia, Peru and Puerto Rico


by Jennifer Verta

Celebrating top legal professionals in South America and the Caribbean.

Flags of Puerto Rico, Chile, Colombia, and Peru, representing countries featured in the Best Lawyers

How to Increase Your Online Visibility With a Legal Directory Profile


by Jennifer Verta

Maximize your firm’s reach with a legal directory profile.

Image of a legal directory profile

Paramount Hit With NY Class Action Lawsuit Over Mass Layoffs


by Gregory Sirico

Paramount Global faces a class action lawsuit for allegedly violating New York's WARN Act after laying off 300+ employees without proper notice in September.

Animated man in suit being erased with Paramount logo in background

Tampa Appeals Court ‘Sends Clear Message,” Ensuring School Tax Referendum Stays on Ballot


by Gregory Sirico

Hillsborough County's tax referendum is back on the 2024 ballot, promising $177 million for schools and empowering residents to decide the future of education.

Graduation cap in air surrounded by pencils and money

The Future of Family Law: 3 Top Trends Driving the Field


by Gregory Sirico

How technology, mental health awareness and alternative dispute resolution are transforming family law to better support evolving family dynamics.

Animated child looking at staircase to beach scene

The Human Cost


by Justin Smulison

2 new EU laws aim to reshape global business by enforcing ethical supply chains, focusing on human rights and sustainability

Worker wearing hat stands in field carrying equipment

The 2025 Legal Outlook Survey Results Are In


by Jennifer Verta

Discover what Best Lawyers honorees see ahead for the legal industry.

Person standing at a crossroads with multiple intersecting paths and a signpost.

Effective Communication: A Conversation with Jefferson Fisher


by Jamilla Tabbara

The power of effective communication beyond the law.

 Image of Jefferson Fisher and Phillip Greer engaged in a conversation about effective communication

Safe Drinking Water Is the Law, First Nations Tell Canada in $1.1B Class Action


by Gregory Sirico

Canada's argument that it has "no legal obligation" to provide First Nations with clean drinking water has sparked a major human rights debate.

Individual drinking water in front of window

New Mass. Child Custody Bills Could Transform US Family Law


by Gregory Sirico

How new shared-parenting child custody bills may reshape family law in the state and set a national precedent.

Two children in a field holding hands with parents

Best Lawyers Expands With New Artificial Intelligence Practice Area


by Best Lawyers

Best Lawyers introduces Artificial Intelligence Law to recognize attorneys leading the way in AI-related legal issues and innovation.

AI network expanding in front of bookshelf

Jefferson Fisher: The Secrets to Influential Legal Marketing


by Jennifer Verta

How lawyers can apply Jefferson Fisher’s communication and marketing strategies to build trust, attract clients and grow their practice.

Portrait of Jefferson Fisher a legal marketing expert

Finding the Right Divorce Attorney


by Best Lawyers

Divorce proceedings are inherently a complex legal undertaking. Hiring the right divorce attorney can make all the difference in the outcome of any case.

Person at a computer holding a phone and pen

New Texas Law Opens Door for Non-Lawyers to Practice


by Gregory Sirico

Texas is at a critical turning point in addressing longstanding legal challenges. Could licensing paralegals to provide legal services to low-income and rural communities close the justice gap?

Animated figures walk up a steep hill with hand