When is a HIPAA breach not a HIPAA breach?

In recent blogs we have been discussing the definition of a HIPAA data breach, and reviewed the notification requirements under the law. But we haven't discussed the exceptions to the breach portion of the law, known as the Breach Notification law. There are a few select situations where notification is not required.

So are there exceptions? Are there occasions where a breach is not considered a breach?

There a three situations that are exceptions to the Breach Notification Rule and these exceptions apply only to a breach which occurred at the hands of a person or persons authorized to handle PHI/ePHI under the Covered Entity or Business associate designation.

  1. A person acting in good faith who unintentionally accessed, acquired or used PHI/ePHI.
  2. A person acting in good faith who unintentionally/ inadvertently disclosed protected data to a person who is also authorised to work with the protected data.
  3. In the case where the Covered Entity or Business Associate has a reasonable, good faith belief that the unauthorized person, to whom the disclosure was made, would not be able to retain the information.

Finally, always remember, the breach notification rule only applies to unsecured PHI — that is, PHI “that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance,” according to HHS.

What is the takeaway? You need to understand what your notification responsibilities are in case of a security breach. It is easy to get caught up in compliance policy and forget that HIPAA has rules to follow when a breach occurs, which sadly, is always a very real possibility. This e-guide should be a quick primer and a jumping off point for learning more from a qualified IT services provider how you can be sure you are addressing all of the regulations under HIPAA and the HITECH Act. Remember, there are stiff penalties for any violation of the Breach Notification Rule. Ask a managed services provider for assistance to develop a complete plan to handle HIPAA data security issues.