Amended Breach Notification Rule - December 2013

Take Steps Now to Avoid Potential Liability Under the Amended Breach Notification Rule if You Are a HIPAA-Covered Entity, Business Associate, or Business Associate's Subcontractor On January 17, 2013, the U.S. Department of Health and Human Services (HHS) announced a final omnibus rule amending the Health Insurance Portability and Accountability Act (HIPAA) of 1996 in accordance with the HITECH Act of 2009. The 2013 amendments modifying the HIPAA Privacy, Security, Breach Notification/Reporting and Enforcement Rules, became effective March 26, 2013. The amended Breach Notification Rule was significantly changed to now clarify the definition of "breach" and the risk-assessment approach required for breach notification. CEs, BAs, and BAs' Subcontractors are accountable for the Rule, which applies to breaches discovered after September 23, 2013.  The amended rule requires HIPAA-CEs to develop and document policies and procedures, train workforce members on and have sanctions for failure to comply with these policies and procedures, permit individuals to file complaints regarding these policies and procedures or a failure to comply with them, and requires HIPAA-CEs to refrain from intimidating or retaliatory acts. Key Points of the Amended Breach Notification Rule The new definition of "breach" is that if there is an unauthorized acquisition, access, use, or disclosure of protected health information (PHI) that compromises the security or privacy of that PHI. This new definition also creates a presumption that any unauthorized acquisition, access, use or disclosure of PHI is a breach and shifts the burden to the CE or BA to demonstrate through a risk assessment that there is a low probability that the PHI has been compromised. Risk assessment:

  • What is the Nature and extent of PHI involved and if disclosed was it of a sensitive nature? Financial information is highly sensitive and might increase risk of identity theft. Clinical information is highly sensitive and includes nature of services provided and amount of details (diagnosis, medication, test results).
  • Who was the unauthorized person? If PHI is impermissibly disclosed to another CE obligated to abide by the HIPAA Privacy and Security Rules, there may be a low probability that the PHI has been compromised. If PHI is not immediately identifiable, CEs may determine that the unauthorized person who received the PHI does not have the ability to re-identify the information.
  • Was the PHI actually viewed or acquired? If only the opportunity existed for the PHI to be viewed or acquired such as mail to the wrong individual and that individual informs the sender they have received information in error.
  • Has the risk to the PHI been mitigated? CEs and BAs should consider the extent to which the risk to PHI has been mitigated such as, by obtaining a recipient's satisfactory assurance that the information will not be further used or disclosed.
  • When a breach notification is required, it must be completedwithout unreasonable delay and in no case later than 60 days, to affected individuals, the Secretary, and in some circumstances, the media. Notice to the Secretary of HHS of Breach of Unsecured PHI can be found here.
    • CEs must provide a breach notification in writing by first-class mail, or alternative, by e-mail if the affected individual agreed to receive such notices electronically.
    • The notification must include: a toll-free number for individuals to contact the CE to determine if their PHI was involved in the breach.

All HIPAA-CEs must revise their Notice of Privacy Practices to Comply with the Omnibus Final Rule Amendments The Omnibus Final Rule made changes in how practices can use or disclose a patient's PHI. You must revise your NPP to include the following:

  • Include a description of the types of uses and disclosures of PHI that require a separate authorization: psychotherapy notes, marketing purposes, disclosures that constitute a sale of PHI, and other uses and disclosures not described in the NPP will be made only with authorization from the individual.
  • If your practice engages in fundraising activities, explain that the patient may be contacted to raise funds, but has the right to opt-out of such communications.
  • Include a statement regarding the patient's right to request a restriction on certain disclosures to their health plan if the disclosure is purely for carrying out payment or health care operations and the requested restriction is for services paid out-of-pocket.
  • Provide a statement that the practice is required to notify affected individuals of breaches of their unsecured PHI.

Note: Samples of NPPs can be viewed here. Distribution of the NPP must be made available to any person who asks for it and must be prominently posted and made available on any website maintained by the CE that promotes its customer services or benefits. The NPP may be emailed if the individual agrees to receive an electronic notice. We will review Security and HIPAA Compliance in the January 2014 newsletter.

Publish/Republish Date
Scheduled Content

At the heart of modern patient data protection is the Health Insurance Portability and Accountability Act (HIPAA). Like many laws, HIPAA undergoes changes and updates to stay current. A notable instance is the December 2013 amendments to the Breach Notification Rule, illustrating how HIPAA evolves to meet the needs of the times. This blog post aims to shed light on the key aspects of the Amended Breach Notification Rule, emphasizing its implications for healthcare providers and the steps necessary to ensure compliance.

Background and Evolution of HIPAA

Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) represented a groundbreaking shift in healthcare privacy and data security. This act, primarily affecting healthcare providers, health plans, and healthcare clearinghouses, introduced stringent rules for handling patient information. The landscape of HIPAA experienced a significant evolution with the introduction of the HITECH Act in 2009, further strengthening the focus on electronic data and breach notifications. These changes underscore the balance HIPAA strives to maintain between protecting patient privacy and facilitating the necessary flow of health information in an increasingly digital healthcare environment.

Definition of a HIPAA Breach

Defining a 'breach' under HIPAA's Privacy Rule requires a nuanced understanding. Generally, a breach emerges from the impermissible use or disclosure of protected health information (PHI), potentially endangering its security and privacy. Not every incident, however, qualifies as a breach. The rule presumes an incident as a breach unless a risk assessment indicates a low probability of PHI compromise. This assessment hinges on the following:

  1. The Nature and Extent of PHI Involved: Delve into the specifics, from identifiers to re-identification risks.
  2. The Unauthorized Recipient's Identity: Unpack who used or received the PHI.
  3. Actual Acquisition or Viewing of PHI: Investigate whether the PHI was truly accessed or seen.
  4. Risk Mitigation Efforts: Assess how effectively the threat to the PHI has been lessened.

Covered entities and business associates wield the discretion to notify breaches without a full risk assessment, but this decision comes with its own intricacies. Notably, three exceptions to the breach definition exist, each underscoring different scenarios where the usual rules of breach don't apply. These exceptions are the following:

  1. Unintentional Access by Workforce Members: This applies when a workforce member or person under the authority of a covered entity or business associate unintentionally acquires, accesses, or uses PHI in good faith and within their authority.
  2. Inadvertent Disclosure Amongst Authorized Personnel: This occurs when a person authorized to access PHI at a covered entity or business associate inadvertently discloses it to another authorized person within the same entity or in an organized healthcare arrangement.
  3. Unretainable Information: The final exception applies if the covered entity or business associate believes in good faith that the unauthorized person to whom the impermissible disclosure was made could not retain the information.

Breach Notification Requirements Under HIPAA

When a breach of unsecured PHI occurs, HIPAA's Breach Notification Rule demands a series of critical actions from covered entities.

Notice to Individuals

In the wake of a breach involving unsecured PHI, covered entities are tasked with promptly notifying affected individuals. This communication, primarily via first-class mail or email (if consented by the individual), must happen without unreasonable delay within 60 days of discovering the breach.

The notice should concisely detail the breach, the PHI types involved, and advice for individuals to mitigate potential harm. It must also explain steps taken by the entity to address and prevent subsequent breaches. Should the contact information for individuals be outdated, alternative methods such as website postings or media announcements come into play.

Responsibility for these notifications may extend to business associates in certain scenarios, underscoring the collaborative effort in safeguarding PHI. This comprehensive approach to individual notice underlines the commitment to transparency and proactive response in the event of PHI breaches.

Notice to the Media

In cases of a HIPAA breach impacting over 500 individuals in a state or jurisdiction, covered entities are required to extend their notification efforts to the media. Typically executed through a press release, this step ensures broader awareness of the breach. The media notification, mirroring the individual notice, should be dispatched promptly, within a 60-day period post-breach discovery. It is imperative that these media notices encompass all vital information similar to that provided in individual notifications, underlining the commitment to transparency and widespread communication in safeguarding patient data.

Notice to the Secretary

When a HIPAA breach occurs, covered entities are required to report it to the Secretary of the US Department of Health and Human Services(HHS). This involves filling out and submitting a breach report form on the HHS website. For breaches affecting 500 or more individuals, this notification must be made promptly, within 60 days. However, for smaller breaches affecting fewer than 500 individuals, entities can report annually, with submissions due within 60 days after the calendar year's end. This reporting process ensures governmental oversight and accountability in protecting patient health information.

Understanding and navigating HIPAA's complexities requires continuous learning and adaptation. Specialized training and resources are invaluable to empower healthcare professionals and entities in this journey. This brings us to the importance of staying updated and educated about HIPAA's nuances and changes.


To master the complexities of HIPAA and stay ahead of its evolving standards, explore the targeted courses offered by HIPAA Exams. We offer specialized HIPAA training for healthcare professionals, business associates, dental offices, and HR professionals. Equip yourself and your team with the expertise to navigate HIPAA regulations confidently and ensure compliance with the latest guidelines in healthcare data protection. Head to our website to get started today!