HIPAA Breach Notification Rule

What is the HIPAA Breach Notification Rule?

The HHS data breach policy, known as the HIPAA Breach Notification Rule, is a protocol that requires HIPAA-covered entities and their business associates to report any breach involving protected health information (PHI) to HHS, affected individuals, and in some cases, the media. 

A breach is, generally, an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. 

Data breaches must be reported 60 calendar days after the “date of discovery,” regardless of the certainty of a breach. If a breach involves under 500 individuals, the covered entity may keep a record of information and submit it within 60 calendar days after the conclusion of the calendar year in which the breach was discovered. If a breach involves 500 or more individuals, the covered entity must report the breach to a state media outlet, in addition to HHS and individuals.  

Information in an HHS data breach report includes 

  • Name of the covered entity  

  • State 

  • Type of covered entity  

  • Number of affected individuals  

  • Date of breach submission 

  • Type of breach 

  • Breached information location 

Why is the HIPAA Breach Notification Rule important to healthcare?

The HHS data breach policy is important because it protects patient privacy. The Breach Notification Rule ensures patients are made aware if their PHI is compromised, letting them act to prevent further damage. It also holds covered entities and their business associates accountable for protecting stored information.