What Triggers A Breach Notification Under The HIPAA/HITECH Act?

Encrypt PHI with Server General TDE
You Don’t Want To Be Standing There

Let’s first review few items before we discuss when a breach notification is triggered.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996.

The Health Information Technology for Economic and Clinical Health (HITECH) was enacted in 2009 as part of American Recovery and Reinvestment Act makes significant changes to the privacy rules of the HIPAA Act.

Covered Entity:
An organization that transmits any health information electronically in connection with a covered transaction such as submitting health care claims to a health plan.

Business Associate:
A “business associate” means a person who performs functions or activities on behalf of or for a covered entity that involve the use or disclosure of identifiable health information of individuals. Business associates of covered entities are directly liable for compliance with the HIPAA Privacy and Security Rules requirements.

What Triggers A Breach Notification Provision?
Under the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414 covered entities and their business associates are required to provide breach notification following an act that compromises the privacy of individuals in violation of the HIPAA privacy rule through acquisition or access or use or disclosure of protected health information (PHI). The notification has to take place within a stipulated time period upon discovery of a breach. It is important to note that a breach is considered discovered when the covered entity and their business associate become aware of it and not when the breach analysis concludes an impermissible use of PHI. Covered entities and business associates are free to provide breach notification without performing a risk assessment analysis of the incident just to be on the safe side. This rule became effective as of September 23, 2013.

Who To And When To Notify?
Covered entities along with their business associates must notify the following when their unsecured protected health information (PHI) has been breached:

Affected individuals – no later than 60 days when the breach discovery occurred.

Health and Human Services (HHS) – at the same time when the affected individuals are being informed as long as more than 500 individuals have been impacted by the breach or at the end of year if the number is smaller than 500.

Media – when the breach affects more than 500 residents of a state or city or town

The HHS considers “unsecured” PHI is when it has not been rendered unusable or unreadable or indecipherable to unauthorized users. The best way to protect PHI against internal or external attacks is via data-at-rest encryption combined with advanced access control mechanisms. Furthermore, covered entities that encounter a breach that has resulted in an impermissible use or disclosure of PHI but had followed the security guidelines get an exemption from the breach notification provision (“safe harbor”).

Server General TDE uses the Advanced Encryption Standard (AES) algorithm to encrypt PHI stored in a database or a file server deployed on any cloud platform thereby preventing a breach notification trigger.