What is the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule is a set of regulations issued by the U.S. Department of Health and Human Services (HHS) that requires covered entities and their business associates to notify individuals, HHS, and, in some cases, the media when there is a breach of unsecured protected health information (PHI). The Breach Notification Rule was created under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

The Breach Notification Rule defines a breach as the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the PHI. Covered entities and their business associates are required to conduct a risk assessment to determine whether a breach has occurred, and if so, whether notification is required.

If a breach of unsecured PHI affects 500 or more individuals, covered entities are required to notify those individuals, HHS, and the media (in some cases) without unreasonable delay, but no later than 60 days after the discovery of the breach. If a breach affects fewer than 500 individuals, covered entities are required to notify those individuals within 60 days of the end of the calendar year in which the breach occurred.

The Breach Notification Rule also requires covered entities and their business associates to maintain documentation of breaches and their responses for at least six years. Failure to comply with the Breach Notification Rule can result in significant penalties and fines imposed by HHS.