DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
In specific circumstances, which we outline below, privacy or security incidents affecting HIPAA covered entities or business associates might constitute breaches of unsecured PHI. HIPAA requires that breaches of unsecured PHI be reported by covered entities and business associates. This article discusses when a privacy or security incident does not constitute a breach of unsecured PHI, and, as such, does not need to be reported per the Breach Notification Rule.
What is a Breach of Unsecured PHI?
Please note that not all privacy or security incidents are considered to be breaches of unsecured PHI under HIPAA. Under HIPAA, the term "breach" is defined as: “The acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the protected health information.”
If an incident does not involve a covered entity’s or business associate's acquiring, accessing, using, or disclosing PHI, there is no breach to speak of. For example: A malware attack occurs at a federal agency that a covered entity is required to report healthcare data to. The attack occurs after the data has been reported. The attack is on the federal agency’s information systems storing the data. The covered entity does not have a business associate that is in any way responsible for or associated with the attack.
This situation does not constitute a breach that the covered entity must report under the HIPAA law or regulations. Why? The covered entity did not acquire, use, or disclose PHI. The breach, if there was one, was sustained by the agency, and no business associate of the covered entity played any role in the breach’s occurrence.
Under such facts, the incident is not a breach of unsecured PHI sustained by the covered entity. As such it need not be reported by the covered entity under HIPAA. HIPAA does not require the covered entity to report the breach (if there was one) to patients, HHS, or the media, or to anyone else. Another law might. HIPAA does not. A covered entity may inform patients of the incident, if after discussion with legal counsel it is determined that there is a legal requirement or other valid reason to do so. To repeat, though, HIPAA does not require the covered entity to report the incident - that is, to notify patients, HHS, or the media of the incident.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article