Breach Notification Requirements

It should be no surprise to read that medical practices have an obligation to maintain protected health information in certain ways, and to only use and disclose such protected health information as authorized by the patient or otherwise by law. Such requirements are set forth under the Privacy Rule.

What you may be surprised to read is that when protected health information is not maintained by a medical practice in accordance with HIPAA, notification to the patient or other sources may be required pursuant to the Breach Notification Rule (45 CFR Part 164). You may not be aware of the Breach Notification Rule because it was part of proposed modifications set forth several years ago, and many practices did not adopt the requirements of the rule because the statute at that time had not been written with teeth.

However, the Final Rule promulgated on January 25, 2013, not only modifies the Breach Notification Rule, it incorporates significant enforcement provisions should a breach occur and not be dealt with appropriately by the practice. Effective September 23, 2013, every medical practice is required to notify an individual of an acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule, otherwise known as a breach. Pursuant to the statute, a breach excludes:

1 Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of the practice or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the practice’s privacy policy.

2 Any inadvertent disclosure by a person who is authorized to access protected health information at the practice, or a business associate, to another person authorized to access protected health information at the same practice, or business associate, or organized healthcare arrangement in which the practice participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the practice’s privacy policy.

3 A disclosure of protected health information where the practice, or business associate, has a good-faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

4 Where the practice has demonstrated that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  • A. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
  • B. The unauthorized person who used the protected health information or to whom the disclosure was made
  • C. Whether the protected health information was actually ac­­quired or viewed
  • D. The extent to which the risk to the protected health information has been mitigated (45 CFR 164.402).

Notification is required at several levels: (1) to the individual; (2) to the media; and (3) to the Secretary of the US Department of Health and Human Services (HHS). Each requirement will be addressed in turn below.

To the Individual

Notification to the individual is required where, after a risk assessment, it has been determined that protected health information has been—or is reasonably believed by the practice to have been—accessed, acquired, used, or disclosed as a result of a breach. A breach shall be treated as being discovered by the practice on the first day that the breach is actually known to the practice or, by exercising reasonable diligence, would have been known to the practice, meaning that, if such breach is known—or by exercising reasonable diligence would have been known—to any person who is a workforce member or agent of the covered entity other than the person committing the breach. Notification to the individual is required no later than 60 calendar days after the discovery of a breach, and in the notification the practice is required to provide, to the extent possible, the following information:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if the date is known
  • A description of the types of unsecured protected health information that were involved in the breach (such as whether the individual’s full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved)
  • Any steps that the individual should take to protect himself or herself from potential harm resulting from the breach
  • A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to the individual, and to protect against any further breaches
  • Contact procedures for the individual to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, and/or postal address.

Notification is required to be sent in writing by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in 1 or more mailings as information is available. If the practice knows that the individual is deceased and has the address of his or her next of kin or personal representative, written notification by first-class mail to either the next of kin or personal representative must be made. Again, the notification may be provided in 1 or more mailings as information is available.

In a case where there is insufficient or out-of-date contact information that precludes written notification to the individual, substitute notice may be provided. In a breach where more than 10 individuals are affected, substitute notice may take the form of either a conspicuous posting on the home page of the practice’s website for a period of 90 days, or a conspicuous notice in major print and/or broadcast media outlets in the geographic areas where the affected individuals likely reside, that includes a toll-free phone number that remains active for at least 90 days where individuals can learn whether their unsecured protected health information may be included in the breach. (See 45 CFR 164.404.)

To the Media

When more than 500 residents of a state or jurisdiction are involved in a protected health information breach, the practice is required to notify prominent media outlets serving the state or jurisdiction within 60 calendar days after the discovery of the breach. (See 45 CFR 164.406.)

To the HHS Secretary

The practice must also notify the Secretary of HHS when a breach has occurred that involves 500 or more individuals, in the manner and form specified on the HHS website. For all breaches involving less than 500 individuals, the practice shall maintain a log or other documentation of such breaches and, no later than 60 days after the end of each calendar year, provide notification to the Secretary in the manner specified on the HHS website. (See 45 CFR 164.408.)

Additional Concerns

In addition to the foregoing, business associates are required to report the discovery of a breach to the practice within 60 calendar days. (See 45 CFR 164.410.)

Failure to abide by the Breach Notification Rule may open up the practice to substantial liability. The recent modifications to HIPAA allow for the imposition of civil monetary penalties for any entity or individual in violation of any HIPAA requirement, including the Breach Notification Rule, which is why it is imperative to understand and implement the requirements of the rule. Implementation requires that the policies, procedures, and contracts of the practice reflect the requirements of the Breach Notification Rule.

To discuss your practice’s compliance needs to prepare for September 23, 2013, check out available HIPAA policies at www.healthcarepractice compliance.com, or contact Jennifer at 516-747-6700 x302 or This email address is being protected from spambots. You need JavaScript enabled to view it.. Prior to Sept­­ember 2013, all practices will be required to adopt new Notice of Privacy Practices, as well as accompanying documents, such as a Breach Notification Policy.

Jennifer Kirschenbaum, Esq, manages Kirschenbaum & Kirschenbaum’s healthcare department, which specializes in representing healthcare practitioners in regulatory compliance, audit defense, licensure, and transactional matters. She may be reached at 516-747-6700 x302 or by e-mail at This email address is being protected from spambots. You need JavaScript enabled to view it..

Related Articles

Subscribe to
Oncology Practice Management

Stay up to date with oncology news & updates by subscribing to receive the free OPM print publications or weekly e‑Newsletter.

I'd like to receive: