AMARILLO, TX – Health care providers handle some of the most sensitive information in modern society. Yet, even the most diligent organizations can face a violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). When that happens, uncertainty can spread quickly: Is this a breach? Does it require notice? What are the next steps?

The good news is that while responding to a HIPAA violation is high-stakes, it does not need to be overwhelming. By understanding the framework, including what qualifies as a breach, what does not, and how to assess and respond to the circumstances, providers can act decisively, limit risk, and maintain the trust of patients and the public.

This article provides a roadmap for responding to impermissible uses or disclosures of protected health information (“PHI”) under HIPAA.

What HIPAA Considers a “Breach”
A breach under HIPAA is the acquisition, access, use, or disclosure of PHI in a manner not authorized by the Privacy Rule that compromises the security or privacy of the PHI. At first glance, this definition appears broad. Fortunately, Health and Human Services (“HHS”) recognizes three key exceptions to the definition of breach. Where a covered entity can demonstrate that a HIPAA violation meets one of these exceptions, the circumstances are not considered a breach and, as a result, do not require notification.

Understanding these exceptions can prevent unnecessary breach notifications that might trigger regulatory scrutiny, financial exposure, and reputational harm. To benefit from these protections, a covered entity must document its determination that a HIPAA violation does not meet the definition for a breach and it must maintain the documentation for at least six years.

Unintentional Acquisition, Access, or Use
A breach excludes any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity if it was in good faith and within the scope of authority and does not result in further use or disclosure not permitted under HIPAA. For example, an employee receives and opens an e-mail containing PHI that a respiratory therapist (“RT”) mistakenly sent. The employee notices that he is not the intended recipient, alerts the RT of the misdirected e-mail, and then deletes it. In this scenario, the employee unintentionally accessed PHI to which he was not authorized to access. However, the employee’s use of the information was in good faith and within the scope of authority, and therefore, would not constitute a breach and notification would not be required, provided the employee did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.

Inadvertent Disclosure
A breach excludes any inadvertent disclosure by a person who is authorized to access PHI at a covered entity to another person authorized to access PHI at the same covered entity, and the information received is not further used or disclosed in a manner not permitted under HIPAA. For example, a physician, nurse, and a billing employee at a hospital are authorized to access PHI at the hospital, so an inadvertent disclosure between these parties would meet this exception. In contrast, this exception would not apply to a person that is not authorized to access PHI, nor would the exception apply where the disclosure is not between individuals at the same covered entity.

Good Faith Belief the Recipient Cannot Retain the Information
A breach excludes any disclosure of PHI where a covered entity has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. For example, a covered entity sends explanations of benefits (“EOBs”) to the wrong individuals, and a few of the EOBs are returned as undeliverable. In these circumstances, the covered entity can conclude that the improper addressees could not have reasonably retained the information. The EOBs that were not returned as undeliverable, however, and that the covered entity knows were sent to the wrong individuals, should be treated as potential breaches.

When in Doubt: Conduct a Risk Assessment
If an impermissible use or disclosure of PHI does not fit within an exception to the definition of breach, HIPAA presumes it is a breach. Providers may rebut the presumption only by demonstrating there is a low probability that the PHI was compromised, based on a four-factor risk assessment. Only when this assessment supports a low probability of compromise may a provider forgo breach notification. To benefit from the risk assessment, a covered entity must consider and document all four factors outlined in HIPAA and addressed below, weighing each of the factors to conclude whether there is a low probability that the incident compromised the PHI. A covered entity must document the risk assessment and maintain the documentation for at least six years.

The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
A covered entity should investigate which identifiers were the subject of the incident, whether sensitive clinical information was included, and whether the information could be realistically re-identified. A covered entity should be able to explain and document which of the 18 HIPAA identifiers were the subject of the incident, whether other PHI was included, and whether the information was sensitive and included information such as social security numbers or genetic testing information. Where there are more identifiers at issue, the information is sensitive, or could easily lead to re-identification, there is a greater probability that the incident compromised the PHI.

The unauthorized person who used the PHI or to whom the disclosure was made
A covered entity should understand who received the information, including whether the recipient was a health care provider or a member of the public, and whether the covered entity has control over the person as an employer or through other means. Where the information was received by a person bound by confidentiality rules, such as a health care provider, or by a person that is under the control of the covered entity, like an employee, a covered entity can more reasonably conclude that the unauthorized use or disclosure presents a low probability of a compromise.

Whether the PHI was actually acquired or viewed
A covered entity should determine if the information was merely accessible, or whether it was  opened, read, saved, or misused. Where a covered entity can conclude that the disclosed information was only accessible, as opposed to opened, read, saved, or misused, a covered entity can more reasonably conclude that the use or disclosure presents a low probability of compromise.

The extent to which the risk to the PHI has been mitigated
A covered entity should take steps to reduce the risk to the PHI, and document such corrective actions. For example, if a covered entity can demonstrate that it has retrieved the PHI, or that the PHI was deleted or made inaccessible, there is a lower probability that the PHI was compromised. On the flip side, if the covered entity cannot mitigate the risk to the PHI, there is a greater probability that the incident compromised the PHI.

When Notification Is Required
If no exception to the definition of breach applies and a risk assessment shows that there is more than a low probability of compromise, a provider must notify affected individuals, the Secretary of HHS, and the media (if 500 or more residents of a state or jurisdiction are impacted). HIPAA requires these notices to follow specific timing and content rules.

Notice to Individuals
Notification to affected individuals must be delivered without unreasonable delay and no later than 60 days after discovery of a breach. The notice must be written in plain language and sent by first-class mail, unless the patient has opted for electronic notice. Each notice must include:

• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
• A description of the types of unsecured PHI that were involved (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
• Any steps individuals should take to protect themselves from potential harm resulting from the breach;
• A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
• Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address.

If a patient’s contact information is not adequate to provide the required notice, HIPAA requires substitute notice that varies based on the number of affected persons. If less than 10 individuals have inadequate contact information, alternative means of notice can be used, such as by phone or email. If more than 10 people are impacted, the provider must post a conspicuous notice on its website for 90 days or notify major print/broadcast media where affected individuals live, plus maintain a toll-free inquiry line for 90 days.

Notice to Media
If a breach affects 500 or more residents of a state or jurisdiction, the provider must notify prominent media outlets in that area. The content requirements for notice to the media mirrors the requirements for notice to individuals, and the same timeline applies, i.e., notice must be given without unreasonable delay and in no event later than 60 calendar days after discovery of a breach.

Notice to HHS
All breaches must be reported to the Secretary of HHS through the HHS website, but timing varies. If 500 or more individuals are affected, the provider must provide notice within 60 days of discovery of the breach. If fewer than 500 individuals are affected, the provider must provide notice no later than 60 days after the end of the calendar year in which the breach was discovered.

Preparedness Is Protection
HIPAA breaches can be disruptive, costly, and damaging, but providers who are well-versed in the regulatory framework can respond with clarity and confidence. The key steps are:

• Determine whether the incident meets the definition of a breach.
• Assess whether an exception to the definition of breach applies.
• If not, conduct a four-factor risk assessment.
• If required, issue timely and complete notifications to all relevant parties.

By embedding these practices into compliance programs and training, health care providers can not only meet regulatory expectations but also preserve trust essential to patient care.

Jeffrey S. Baird, Esq., is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers and other health care providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or [email protected].

Jordan T. Vogel, Esq., is an attorney with the Health Care Group at Brown & Fortunato, PC, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers and other health care providers throughout the United States. Mr. Vogel can be reached at (806) 345-6351 or [email protected].