Your Compliance Edge

Breach Notification Rule

The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI).

What is a "Breach"?

HIPAA defines a "breach" as, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI. 

An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised, based on a risk assessment of at least the following factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

There are three exceptions to the HIPAA definition of breach:

  1. The unintentional acquisition, access, or use of PHI made in good faith and within the scope of authority.
  2. The inadvertent disclosure of PHI by a person authorized to access PHI to another person authorized to access PHI at the same covered entity or business associate.
  3. If the covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure was made would not have been able to retain the information.  

FREE Labor Law Penalties
by Company Size Chart

Alerts you to the penalties associated with key federal laws such as
COBRA and discrimination.



Download HR360


Request a Demo 

or Log In