protected health information phi breach icon

Breakdown on Breaches

🕛 Report Any Breaches in 2023 to OCR by March 1, 2024 Deadline

Proactive question: Did your organization experience a breach within the year 2023? For any breach affecting fewer than 500 individuals, the deadline for reporting to OCR will be March 1, 2024.


JUMP TO THE SECTION


Breakdown on Breaches & What to Do


The deadline for reporting breaches affecting 500 individuals or less will be quickly approaching! If a breach occurred in 2022, your organization must report that incident by March 1, 2024, to the Secretary of the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR).

The mandatory breach reporting period is an excellent opportunity to brush up on what you must know about breaches.


Was it a Breach? How to Identify a Breach Incident

A "Breach" incident refers to:

  • An unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI)
  • When data privacy or security is compromised, PHI can cause significant risk of financial, reputational, or other harm to the individual.
  • The breach is "discovered" on the first day when a covered entity or business associate realizes an incident occurred.
  • Did you know a privacy breach is still considered a breach (even when accidentally caused)?

HHS describes a breach as "an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised."


Two Kinds of Protected Health Information

kinds of protected health information

Secured PHI — An unauthorized person cannot use, read, or decipher any PHI since the organization:

  • Encrypts or controls who can access that sensitive information (approved users only)
  • Clears, purges, or destroys electronic media (i.e., data storage devices, film, laptops) that stored or recorded ePHI
  • Shreds or otherwise obliterate PHI (i.e., paper files)

Unsecured PHI — An unauthorized person can access, might use, read, and decipher PHI obtained from an organization that:

  • Lacks encryption or sensitive information is too accessible (meaning anyone can find it)
  • Neglects or accumulates data without a plan
  • Encrypts PHI, but the decryption key is also compromised

Determine if a Breach is Reportable or an Exception

A breach is presumed under HIPAA's privacy provisions when an impermissible use or disclosure of PHI happens (this qualifies as a breach). The exception is when a covered entity can demonstrate that sensitive information remained uncompromised despite a breach.

A Reportable Breach Example — Suppose the improperly accessed data did not include birth dates and ZIP codes. In that case, it is still considered a breach of protected information unless the organization demonstrates that it's unlikely the breach has compromised the data following a risk assessment.

A proper risk assessment will cover these four factors:

  1. The nature and extent of the protected health information involved, including types of identifiers and the likelihood of re-identification;
  2. The unauthorized party who used the PHI or to whom the disclosure was made;
  3. Whether PHI was acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.
three breach exceptions

Breach notification is required when a thorough, good-faith assessment of these factors fails to demonstrate a low probability that PHI was compromised. Leverage these four factors and perhaps add other variables to measure when determining breaches under the HIPAA Omnibus Rule.

Breach Exceptions — There are three breach exceptions.

No breach has occurred if an incident falls under one of these three exceptions:

  1. The unintentional acquisition, access, or use of PHI in good faith
  2. The inadvertent disclosure to an authorized person at the same organization
  3. The recipient of the PHI is unable to retain the information.

Examples of Common Incidents

Exceptions - Although an exception wouldn't need to be reported to OCR, the following incidents would need to be logged and added to the patient's accounting of disclosures log:

  • Handing the wrong receipt to a patient at checkout and then getting it right back. It's not reportable because the patient had the information for such a short amount of time that it is unlikely they would remember any of it.
  • Faxing a patient's information to the wrong provider by accident. Same as above, only the risk is low because HIPAA binds the provider to safeguard any PHI they acquire. The other provider would need to shred the information but is still considered an exception.

Reportable - With these types of breaches, the covered entity must send the patient a letter of notice and notify OCR under the Breach Notification Rule.

  • A patient is given the wrong physical therapy order and doesn't notice until they go to their next therapy appointment and their physical therapist notices. This is reportable because the patient had the order for a long enough time that the risk is high that they or someone else read the information or could retain it or make copies, etc. The amount of PHI on the therapy order would be significant, including the other patient's name, DOB, diagnosis, patient ID number, contact information, etc. The risk to this patient's information is high.


Breach Notification Rules

The Breach Notification Rule falls into two categories:

categories of breach notification rules

1. Breaches Affecting Fewer than 500 Individuals

  • When a data breach of unsecured protected health information happens and affects fewer than 500 individuals, the reporting requirements are more flexible. Covered entities have 60 days from the end of the calendar year when the breach was discovered to report the breaches to the OCR (deadline March 1, 2023).
  • Each reportable breach must have its own separate notice for the incident. The covered entity must submit the notice electronically in the OCR portal. All of the fields of the breach notification form must be completed.

2. Breaches Affecting 500 or More Individuals

  • When a breach of unsecured protected health information affects 500 or more individuals, covered entities must notify OCR of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the incident. The covered entity must submit the notice electronically by clicking on the link below and completing all of the required fields of the breach notification form.
  • Furthermore, organizations must report any breach affecting over 500 patient records to the media. 


Three Action-Items to Protect Your Healthcare Organization


Logging All HIPAA Incidents is Vital

Healthcare Compliance Pros recommends logging all HIPAA breaches, regardless of if they are reportable or considered an exception. The benefits of logging all incidents will provide an organization with insight into areas of their business that may need to have more thorough training or a review of their previous training. Incidents should be discussed with all staff as a training exercise and additional HIPAA training provided to the employee(s) responsible. Specifically, the portions of HIPAA that refer to safeguarding PHI and releasing information. We also recommend that policies and procedures be reviewed to identify any shortcomings that may need to be addressed that could have prevented the incident.


Preparing Your Organization for a Breach, Large or Small

Within the year 2021, several breaches affected millions of individuals reported to the U.S. Department of Health and Human Services (HHS), including the top breach for 2021 coming from Florida Healthy Kids Corporation that affected 3.5 million individuals. You can view hundreds of open breaches reported to HHS at any given time that are under investigation.

Many of the breaches that affect millions will have a cybersecurity component to the breach of personally identifiable information. Organizations can help prevent breaches of this kind by staying current with cybersecurity training for their employees, having policies and procedures in place, and ensuring that they are protecting their data with the appropriate antivirus/antimalware software.

Breaches that happen inside the walls of an organization likely won't be in the millions typically, and it will be a breach on a much smaller scale affecting a handful of individuals. These can be minimized with proper training, including refresher training for employees along with implementing policies and procedures to protect PHI in all forms.


Accessing Resources to Get Compliant

healthcare compliance tools and resources

Healthcare Compliance Pros has designed the tools and resources to help your organization:

  • Leverage the Breach Decision Tool: Analyze a potential HIPAA privacy or security breach. Our form will help you understand what documentation is required and determine whether breach notification is required under HIPAA.
  • Follow the Quick Reference Breach Checklist: Another tool to help you handle reporting incidents.
  • Log breaches faster: You can log breach incidents that have occurred throughout the year with our online tool.
  • Customize workforce training for your employees on all things HIPAA, Cybersecurity, and more!
  • Verify your breach report through compliance experts: You can submit your breach report to a compliance advisor that reviews the breach determination and mitigation services available.

For more information about breaches or reporting to the OCR by the deadline (March 1, 2024), reach out to your dedicated support team by emailing  support@hcp.md  or calling  855-427-0427.


Not a current HCP client? Schedule a free online consultation to learn how to solve your compliance.