HIPAA safeguards protected health information (PHI) and requires covered entities and their business associates to promptly inform individuals and the Department of Health and Human Services (HHS) in the event of a breach. However, there are exceptions to HIPAA breach notifications that healthcare providers and other covered entities should be aware of, such as unintentional access, accidental disclosure, or unauthorized retention.
What is a HIPAA breach?
HHS defines a breach as "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment."
Conducting a comprehensive risk assessment assists in determining whether a breach has occurred. Factors include:
- The nature and extent of the PHI involved
- The likelihood of re-identification
- The unauthorized personnel involved
- The type of information accessed
- The level of risk mitigation undertaken
Read more: HIPAA Compliant Email: The Definitive Guide
Understanding breach exceptions
The exceptions to HIPAA breach notifications provide guidelines to make accurate decisions, mitigate potential harm, and prevent disruptions to healthcare operations.
While prompt breach notifications protect patient privacy and security, not all incidents require immediate notifications.
See also: Understanding HIPAA violations and breaches
Exceptions to HIPAA breach notification
While immediate breach notification is typically required under HIPAA, there are three exceptions to HIPAA breach notifications. These exceptions acknowledge situations where the breach may not pose a significant risk to the privacy and security of PHI.
Unintentional access to PHI
If an employee unintentionally comes into contact with or uses PHI while acting in good faith and within their authorized role, the breach exception may apply. Two conditions must be met for this exception: the access or use must be unintentional and in good faith. Furthermore, the employee must refrain from disclosing the PHI in a manner prohibited by the HIPAA Privacy Rule.
Accidental disclosure to authorized personnel
When an individual authorized to access PHI shares it with another authorized person within the same covered entity, business associate, or organized healthcare arrangement, an exception can be invoked. To qualify for this exception, the disclosed information must remain within authorized channels and should not be used or shared improperly.
Unauthorized retention
In cases where a covered entity genuinely believes that the unauthorized recipient of PHI would not have been able to retain the information, breach notification requirements may be waived.
Permitted uses and disclosures under HIPAA
While breach exceptions provide some leeway, there are also permitted uses and disclosures of PHI under HIPAA. The Department of Health and Human Services (HHS) outlines instances where healthcare providers can share PHI without explicit patient consent.
Treatment purposes
Healthcare providers can share PHI for treatment purposes, even without prior patient authorization.
Healthcare operations activities
Covered entities can disclose PHI to other covered entities or their business associates for specific healthcare operations activities, even without patient consent. However, both entities should have a relationship with the patient, the requested PHI must pertain to that relationship, and the disclosing entity must only provide the minimum necessary information for the procedure or operation.
HIPAA breach notification requirements
While the exceptions provide some relief from immediate breach notifications, there are HIPAA breach notification requirements for situations that do not fall under these exceptions.
Individual notice
Covered entities must inform affected individuals within 60 days of discovering a breach. They can use letters or emails to notify individuals. If contact details for ten or more individuals are outdated, alternative methods such as posting the notice on the covered entity's website or using local media can be used.
Media notice
If a breach affects over 500 individuals in a state or jurisdiction, covered entities must also notify the media in that area. This can be done through press releases or other appropriate means.
HHS Secretary's notice
Covered entities must inform the HHS Secretary about breaches through a form on the HHS website.
Notification by a business associate
If a business associate is responsible for a breach, they must also inform the covered entity within 60 days of discovering the breach.
Go deeper:
Farah Amod
