10 Facts About the HIPAA Breach Notification Rule and Breach Reporting

With US healthcare’s mandatory move to electronic medical records, Dark Web thieves have taken full advantage of the ability to access personal details.

It’s up to all medical staff and healthcare organizations to protect their electronic medical records and stay up to date with HIPAA Breach Notification Rules and breach reporting practices.

With so much personal information online, the opportunity for data to fall into the wrong hands is tremendous.

Birth dates, home addresses, emails addresses, phone numbers, social security numbers and driver’s license information can all be used to initiate fraud. Marital status, emergency contact details and employment information can also be used to estimate secure login details.

Full understanding of HIPAA Breach Notification is vital to preventing breaches. The aim is to prevent them from ever happening in the first place and to understand what to do when things do go wrong.

Check out 10 facts to learn more today!

1. First of all, what is HIPAA?

Despite HIPAA having been introduced more than 20 years ago, it still remains a source of confusion and difficulty for healthcare organizations.

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, was created to improve the efficiency and effectiveness of the health care system.

Put simply, HIPAA protects individual’s medical records and other personal health information. It also protects staff from potentially making any errors.

Frequent HIPAA training is mandatory for anyone who comes into contact with protected health information (PHI). This includes doctors, dentists, nurses, receptionists and part-time employees/interns.

2. What is the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule, requires HIPAA covered organizations and their employees to provide notification following a breach of unsecured protected health information.

The following factors come into consideration when assessing whether there has been a breach:

  • The nature and extent of the protected health information involved.
  • The individual(s) involved.
  • Whether the information was actually acquired or viewed.
  • How far the risk has been alleviated.

3. What are the 3 exceptions to the definition of ‘breach’?

  1. Unintentional acquisition, access or use of protected health information.
  2. Inadvertent disclosure of protected health information between two members of medical staff.
  3. A disclosure made by a staff member to an unauthorized person who would not have been able to retain the information.

4. Unsecured protected health information

HIPAA covered organizations and employees only need to make a HIPAA breach notification if the breach involved unsecured protected health information.

5. Breach notification requirements

Following a confirmed breach, hospitals or health insurance companies must notify the following within 60 days:

  1. Affected individuals (by first class post or email if appropriate).
  2. Secretary of HHS (for a breach affecting more than 500 residents of a State or jurisdiction area. Visit the HHS website and electronically submit a breach report form).
  3. Media (for a breach affecting more than 500 residents of a State or jurisdiction area).

6. The penalties for making a breach

There are four categories of penalties

  • Category 1 ($50-50,000) – where a breach was realistically unavoidable.
  • Category 2 ($1,000-$50,000) – where a breach should not have been made but was unavoidable even with a reasonable amount of care.
  • Category 3 ($10,000 – $50,000) – where a breach represents overt ‘willful neglect’ of HIPAA Rules.
  • Category 4 (minimum of $50,000) – where a breach represents overt ‘willful neglect’ of HIPAA Rules and no attempt has been made to correct the violation.

The maximum fine per violation category, per year, is $1,500,000.

Ask yourself, have you ever seen a fine of $25,000 or less? The average fine runs over $50,000, even for smaller organizations.

7. How common are breaches?

In 2016 alone, the Identity Theft Resource Center reported 355 breaches affecting 15 million records. In fact, last year was a record year for American healthcare breaches in hospitals, dental clinics and senior care facilities.

According to the Ponemon Institute’s Fifth Annual Study on Medical Identity Theft, 90 percent of health care organizations have been hacked.

The industry saying is there are only two types of healthcare organizations – those who know they’ve been hacked and those who don’t know it yet. Which one are you?

8. How can you prevent a breach from taking place?

Ask yourself the following questions:

  1. Does our organization have proper IT security software including virus protection, firewalls, encryption software or authentication measures?
  2. Do we have an IT professional proactively managing our network?
  3. Does our organization have a backup system for digitally stored data?
  4. Are there systems in place to trace back a potential digital HIPAA violation to a specific username or login ID?
  5. Are there automatic “timeouts” on computers within our organization?

It is also a best practice to ensure your organization shreds paper files, has security cameras and alarm systems, among other strategies.

9. Breaches affecting 500 or more individuals

If you and your organization can learn from the mistakes of others, you will be more prepared when it comes to HIPAA Breach Notification Rules. You can view a list of these breaches here.

10. Compliance to prevent a breach

A HIPAA compliance checklist for all staff is a great way to make sure there is reduced or ideally no risk of a breach of information. Use the following as a guideline:

  • Have we completed a Risk Assessment within the past 12 months?
  • Does our organization have the most up to date information regarding HIPAA laws?
  • Is there a Notice of Information Practices posted in our office and given to each patient?
  • Is there a designated Information Privacy and Security Officer in our organization?
  • Does our organization have procedures in place for the receiving, documentation and investigation of individual complaints?
  • Is our organization using current patient consent forms and notices of privacy practices in compliance with HIPAA regulations?
  • Are the consent forms and notices available in other languages that might be best spoken and understood by certain patients?

It’s also important that consent forms include an explanation of patients’ rights and details on the organization’s legal responsibilities.

Final thoughts

Keeping your staff up-to-date with HIPAA Breach Notification Rules is a mission your organization shouldn’t and can’t ignore.

If you need further information or want to learn more about the HIPAA Breach notification rule, contact us at HIPAA Security Suite. Our software based solution, along with our staff’s assistance, helps make the compliance process streamlined and (almost) effortless.

We’re here to help!

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top