DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
In specific circumstances, which we outline below, data breaches affecting HIPAA covered entities or business associates might constitute breaches of unsecured PHI. HIPAA requires that breaches of unsecured PHI be reported by covered entities and business associates.
Please note that not all data breaches are considered to be breaches of unsecured PHI under HIPAA. Under HIPAA, the term breach is defined as: “The acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the protected health information.”
If a breach does not involve a covered entity’s acquiring, accessing, using, or disclosing PHI, thre is no breach to speak of. For example: A malware attack occurs at a federal agency that the covered entity is required to report healthcare data to. The attack occurs after the data has been reported. The attack is on the federal agency’s information systems storing the data. The covered entity does not have a business associate that is in any way responsible for or associated with the attack.
This situation does not constitute a breach that the covered entity must report under the HIPAA law or regulations. Why? The covered entity did not acquire, use, or disclose PHI. The breach was sustained by the agency, and no business associate of the covered entity played any role in the breach’s occurrence.
Under such facts, the data breach is not a breach of unsecured PHI. As such it need not be reported by a covered entity under HIPAA. HIPAA does not require the covered entity to report the breach to patients, HHS, or the media, or to anyone else. Another law might. HIPAA does not. A covered entity may inform patients of the breach, if after discussion with legal counsel it is determined that there is a legal requirement or other valid reason to do so. To repeat, though, HIPAA does not require the covered entity to report the breach - that is, to notify patients, HHS, or the media of the breach.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article