HIPAA Breach Exceptions: A Comprehensive Guide for Healthcare Providers

HIPAA Breach Exceptions: A Comprehensive Guide for Healthcare Providers

In the event of a breach, the HIPAA Breach Notification Rule requires covered entities and their business associates to promptly inform individuals and the Department of Health and Human Services (HHS). 

However, there are HIPAA breach exceptions that do not require notifications to the HHS or the individuals affected. This article explains the exceptions to a HIPAA breach that healthcare providers and other covered entities should know.

PCI DSS vs HIPAA

What Constitutes a HIPAA Breach?

A HIPAA breach involves an impermissible use or disclosure under the Privacy Rule that jeopardizes the security and privacy of PHI. Unless a covered entity or business associate can demonstrate a low probability of PHI compromise, such incidents are presumed to be breaches.

A comprehensive risk assessment helps determine whether a breach has occurred. It considers the nature and extent of the protected health information involved, the likelihood of re-identification, the unauthorized person involved, the type of information accessed, and the scope of risk mitigation measures undertaken. While entities can exercise discretion in notifying affected parties, performing a risk assessment is essential in determining the need for a breach notification.

HIPAA Breach Exceptions: A Comprehensive Guide for Healthcare Providers

Exceptions to HIPAA Breach Notification

According to the Breach Notification Rule, there are three exceptions to a HIPAA breach notification:

1. Unintentional acquisition, access, or use

In situations where a workforce member or an individual acting under a covered entity’s or business associate’s authority inadvertently acquires, accesses, or uses PHI in good faith and within their authorized scope, a breach notification might not be required. The critical caveat is that the information must not be further used or disclosed in violation of the Privacy Rule.

2. Inadvertent disclosure by authorized persons

Another exception considers the unintentional disclosure of PHI between authorized individuals within the same covered entity, business associate, or organized healthcare arrangement. If the disclosed information remains within authorized channels and is not improperly used or shared, it may not necessitate breach notifications.

3. Good Faith Belief of Unauthorized Retention

If a covered entity or business associate reasonably believes that the unauthorized PHI recipient would not have been able to retain the information, breach notification requirements may be waived.

Permitted Uses and Disclosures Under HIPAA

The HHS delineates instances where healthcare providers can share PHI without explicit patient consent. Under HIPAA, healthcare providers can share PHI with one another for treatment purposes, even without prior patient authorization. A covered entity (CE) can also disclose PHI to another covered entity or its business associate for specific healthcare operations activities, even without patient consent. 

However, before a CE can share PHI with another CE, they must fulfill three requirements: 

  1. Both should have a relationship with the patient
  2. The PHI requested must pertain to the relationship
  3. The discloser must only provide the minimum information necessary for the procedure or operation
HIPAA Breach Exceptions: A Comprehensive Guide for Healthcare Providers

HIPAA Breach Notification Requirements

If the suspected HIPAA breach doesn’t fall under the exceptions and permitted uses and disclosures discussed above, healthcare providers should follow HIPAA breach notification requirements. Under HIPAA, covered entities (CEs) and their business associates (BAs) should follow the rules for notifying people, regulators, and sometimes the media.

Individual notice

CEs must inform affected individuals within 60 days upon discovering the breach. They can use letters or emails, especially if the person agrees to electronic notices. If contact details for ten or more people are outdated, alternative methods like posting on their website or using local media can be used. 

Covered entities could post the notice on their website’s homepage for at least 90 days or use mainstream print or broadcast media where the affected individuals reside. A toll-free phone number must also be included for inquiries and should remain active for at least 90 days. If fewer than ten people have wrong contact information, other ways like written letters or calls are acceptable.

Media notice

If over 500 people in a state or jurisdiction are affected, CEs must also tell the media in that area. Information dissemination can be done through a press release. And like individual notices, CEs should send media notifications within 60 days of breach discovery.

Secretary’s notice

CEs must also tell the Secretary about breaches through a form on the HHS website. For major breaches (500+ people), they must do this quickly and within 60 days. A once-a-year notification is acceptable for more minor breaches, but reports are due within 60 days after the year ends.

Notification by a business associate

If a business associate is responsible for the breach, they must also inform the covered entity. The notification should be given within 60 days upon discovering the breach.

Rules and proof

Covered entities and their business associates must display adherence to the HIPAA rules or prove that the PHI use wasn’t a breach. 

Understanding Breach Exceptions in HIPAA

The Breach Notification Rule underscores the need for healthcare providers to remain vigilant against privacy threats. However, some instances may not warrant immediate notifications. These exceptions provide essential guidelines for determining when and how to report breaches. Understanding them can help covered entities and business associates make accurate decisions, mitigate potential harm, and prevent disruptions to health care operations.

Kent CaƱas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
HIPAA Administrative Safeguards Explained: Everything You Need to Know
HIPAA Administrative Safeguards Explained: Everything You Need to Know

This guide provides a general overview of HIPAA administrative safeguards and how covered entities c...

Read Story
Patient Information Management: Guide to Healthcare Data Handling
Patient Information Management: Guide to Healthcare Data Handling

Confidentiality and protection of patient’s medical records is a paramount priority in the hea...

Read Story
What Is the HIPAA Minimum Necessary Standard?
What Is the HIPAA Minimum Necessary Standard?

Here's an overview of the HIPAA Minimum Necessary Standard and the best practices for compliance.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we donā€™t share your email with third parties.
    Arrow-up