A breach is any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule unless a risk assessment demonstrates a low probability of compromise.
Patients must be informed of a breach of their unsecured PHI.
The HITECH Act requires a business associate to notify the covered entity when it discovers a breach of unsecured PHI. If the business associate acts on behalf of the covered entity, the business associate must notify the covered entity as soon as possible and no later than 60 days after discovering a breach.
The covered entity is then required to notify HHS of the breach within a specific allotted time, which is determined according to when the business associate (if acting as an agent of the covered entity) discovered the breach.
There are differences in reporting based on the number of affected patients:
- If a breach affects more than 500 patients,
- Covered entities are required to notify HHS immediately.
- The term "immediately" is interpreted by 45 CFR Part 164 as "without unreasonable delay but in no case later than 60 calendar days following discovery of a breach."
- For example, if a breach affecting more than 500 individuals occurred on December 5, 2023, and was discovered on January 1, 2024, the covered entity would have until March 1, 2024 (60 calendar days) to report the breach to HHS.
- If a breach affects fewer than 500 patients,
- Covered entities must notify HHS no later than 60 days after the end of the calendar year the breach was discovered (not when the breach occurred).
- For example, if a breach affecting fewer than 500 individuals occurred on December 5, 2023, and was discovered on January 1, 2024, the covered entity would have until March 1, 2025 (60 days after the end of the calendar year in which the breach was discovered) to report the breach to HHS.
Business associate agreements (BAA) must cover how and when the business associate will notify the covered entity of a suspected breach.
