HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires Covered Entities and Business Associates to provide timely notice in the event of a breach involving Protected Health Information (PHI). A breach is defined as any impermissible access, use, or disclosure of PHI that compromises the privacy or security of the information.

Under this rule:

• Individuals affected by a breach must be notified within 60 calendar days of discovery.
• If the breach affects more than 500 individuals, the Covered Entity must notify the HHS and local media.
• For breaches affecting fewer than 500 individuals, notification to the HHS is required on an annual basis, but individuals must still be notified.
• Covered Entities must also conduct a breach risk assessment to determine the risk to the individual(s) who are the subject(s) to the information. This includes evaluating the nature and extent of the PHI involved, the unauthorized person who used or received the information, and the extent to which the risk has been mitigated.

Failure to comply with these obligations can result in severe HIPAA breach penalties, which vary based on the degree of negligence. Penalties can vary depending on the tier or type of violation and the degree of impact. Lack of timely notification is considered a serious offense.