The U.S. Dept. of Health and Human Services’ (HHS) Breach Notification Rule[1] (the “Breach Notification Rule”) codifies a federal data breach notification standard in the rules of the Code of Federal Regulations (CFR), pursuant to HHS’ authority under the Health Insurance Portability and Accountability Act (HIPAA).

Applicability

The Breach Notification Rule applies to HIPAA covered entities and business associates that suffer a breach. The term “breach” under the Breach Notification Rule means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the privacy or security provisions of the HIPAA regulations.

There are three safe harbor exclusions from the definition of breach—(1) the unintentional access by a covered entity or business associate employee that was made in good faith; (2) the inadvertent disclosure by a covered entity or business associate employee to another; and (3) a disclosure made with a good faith belief that it could not reasonably have been retained by the unauthorized recipient.

A violation of the privacy and security provisions is presumed to constitute a breach. The covered entity or business associate can rebut that presumption, for purposes of notification, by demonstrating that there is a low probability that the protected health information (PHI) has been compromised. The entity must conduct a risk assessment using four factors prescribed under 45 C.F.R. § 164.402(2).

Requirements

Covered entities must make notification to:

  1. Data subjects
  2. Media
  3. Secretary of HHS

When less than five hundred (500) data subjects are affected by the data breach, notification must be made to the data subjects without unreasonable delay and not more than 60 days later. Notification must also be made to the Secretary of HHS, but on an annual basis, no later than 60 days after the end of the calendar year.

When five hundred (500) or more residents of a state are affected, the covered entity must notify the data subject and prominent media outlets serving that jurisdiction. Typically, the media notification is in the form of a press release.

Notifications must include:

  1. a brief description of the breach
  2. a description of the types of information that were involved in the breach
  3. the steps affected individuals should take to protect themselves from potential harm
  4. a brief description of what the covered entity is doing to investigate the breach
  5. mitigate the harm, and prevent further breaches
  6. contact information for the covered entity

Enforcement & Liability

The HHS Office for Civil Rights (OCR) enforces the Breach Notification Rule. Violations may result in civil monetary penalties. In wrongful disclosure cases under 42 U.S. Code § 1320d–6, criminal penalties are enforced by the U.S. Department of Justice (DOJ).

Penalties

Covered entities that violate the Breach Notification Rule may be subject to fines from $119 to $59,522 per violation, with a calendar-year cap of $1,785,651 for an aggregate of identical violations.[2]


[1] 45 CFR §§ 164.400-414

[2] https://www.mercer.com/our-thinking/law-and-policy-group/hhs-adjusts-2020-hipaa-other-civil-monetary-penalties.html#:~:text=HIPAA%20privacy%20and%20security&text=The%20minimum%20penalty%20for%20each,reasonable%20diligence%20%E2%80%94%20about%20the%20violation.