A breach is any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule, unless a risk assessment demonstrates that there is a low probability the PHI was compromised.
Patients must be informed of a breach of their unsecured PHI.
The HITECH Act requires a business associate to notify the covered entity when it discovers a breach of unsecured PHI. If the business associate acts on behalf of the covered entity, the business associate must notify the covered entity as soon as possible and no later than 60 days following the discovery of a breach.
The covered entity is then required to notify HHS of the breach within a certain allotted time, which is determined according to when the business associate (if acting as an agent of the covered entity) discovered the breach.
There are differences in reporting based on the number of affected patients:
- If a breach affects more than 500 patients,
- Covered entities are required to notify HHS immediately.
- The term "immediately" is interpreted by 45 CFR Part 164 as, "without unreasonable delay but in no case later than 60 calendar days following discovery of a breach."
- For example, if a breach affecting more than 500 individuals occurred on December 5, 2018 and was discovered on January 1, 2019, the covered entity would have until March 1, 2019 (60 calendar days) to report the breach to HHS.
- If a breach affects fewer than 500 patients,
- Covered entities must notify HHS no later than 60 days after the end of the calendar year in which the breach was discovered (not when the breach occurred).
- For example, if a breach affecting fewer than 500 individuals occurred on December 5, 2018 and was discovered on January 1, 2019, the covered entity would have until March 1, 2020 (60 days after the end of the calendar year in which the breach was discovered) to report the breach to HHS.
It is very important that business associate agreements (BAA) cover how and when the business associate will notify the covered entity of a suspected breach.
