Question 1

What constitutes a breach under HIPAA?

Accepted Answer

Under HIPAA, a breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. The HITECH Act established a presumption that any impermissible use or disclosure is a breach unless the covered entity demonstrates through a documented four-factor risk assessment that there is a low probability the PHI has been compromised. Common examples include ransomware attacks encrypting patient databases, employee snooping in medical records, stolen or lost unencrypted laptops, misdirected emails containing patient information, improper disposal of records, and hacking incidents that exfiltrate patient data.

Question 2

What are the HIPAA breach notification timelines?

Accepted Answer

Individual notification must be provided without unreasonable delay and no later than 60 calendar days after discovery of the breach. For breaches affecting 500 or more individuals, HHS must be notified without unreasonable delay and no later than 60 days. For breaches affecting fewer than 500 individuals, HHS must be notified within 60 days of the end of the calendar year in which the breach was discovered. Media notification for breaches affecting 500 or more residents of a state or jurisdiction must be provided without unreasonable delay and no later than 60 days. Business associates must notify covered entities of breaches without unreasonable delay and no later than 60 days after discovery. Note that discovery is deemed to occur when the breach is first known or reasonably should have been known — not when the investigation concludes.

Question 3

What is the four-factor breach risk assessment?

Accepted Answer

The four-factor risk assessment required by 45 CFR 164.402 evaluates: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed, as opposed to merely being accessible; and (4) the extent to which the risk to the PHI has been mitigated. If the assessment demonstrates that the probability of compromise is low, the incident may not require notification. However, the assessment must be thoroughly documented — OCR scrutinizes risk assessments during investigations and will not accept superficial or conclusory analyses that appear designed to avoid notification obligations.

Question 4

Does a ransomware attack constitute a HIPAA breach?

Accepted Answer

In most cases, yes. HHS issued specific guidance stating that a ransomware attack involving ePHI is presumed to be a reportable breach. The encryption of ePHI by ransomware constitutes unauthorized access and a potential compromise of data availability, integrity, and confidentiality. The covered entity must conduct a four-factor risk assessment, but unless the entity can demonstrate that the ransomware only encrypted data without exfiltrating it and that the ePHI was already encrypted prior to the attack, notification is typically required. Modern ransomware operators frequently exfiltrate data before encrypting it, using the stolen data as additional leverage — making it extremely difficult to demonstrate low probability of compromise.

Question 5

What must breach notification letters contain?

Accepted Answer

HIPAA breach notification letters must include a brief description of the breach including the date of the breach and the date of discovery, a description of the types of unsecured PHI involved (such as name, Social Security number, date of birth, diagnosis, treatment information), the steps individuals should take to protect themselves from potential harm (such as monitoring credit reports, placing fraud alerts), a description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent future occurrences, and contact procedures including a toll-free phone number, email address, postal address, or website. The notification must be written in plain language and sent by first-class mail. For insufficient contact information, substitute notification via website posting or major media is required.

Question 6

What is the HHS Breach Portal (Wall of Shame)?

Accepted Answer

The HHS Breach Portal is a publicly accessible database maintained by OCR that lists all reported breaches of unsecured PHI affecting 500 or more individuals. Commonly referred to as the "Wall of Shame," it includes the organization name, state, number of individuals affected, breach type, location of breached information, and breach submission date. Listings remain on the portal indefinitely and are searchable by anyone — patients, journalists, attorneys, competitors, and business partners. The reputational impact of appearing on this portal can be significant, affecting patient trust, referral relationships, and business partnerships. For breaches affecting fewer than 500 individuals, the information is reported to HHS annually but is not individually listed on the public portal.

Question 7

What exceptions exist to the breach notification requirement?

Accepted Answer

Three exceptions may prevent an impermissible use or disclosure from constituting a breach: (1) unintentional acquisition, access, or use by a workforce member acting in good faith and within the scope of authority, provided the information is not further used or disclosed improperly; (2) inadvertent disclosure by an authorized person to another authorized person at the same organization or another organization governed by the same BAA, provided the information is not further used or disclosed improperly; and (3) disclosure where the covered entity has a good faith belief that the unauthorized person would not reasonably have been able to retain the information. Additionally, if PHI is encrypted using methods specified by HHS guidance (NIST standards), it is considered secured and the breach notification requirements do not apply — this is the encryption safe harbor that makes data encryption one of the most valuable protective controls.

Question 8

How can we prepare for a potential breach before one occurs?

Accepted Answer

Effective breach preparation includes developing a written incident response plan with defined roles and communication procedures, conducting regular tabletop exercises that simulate breach scenarios, training staff to recognize and report potential incidents, establishing relationships with legal counsel, forensic investigators, and notification service providers before a breach occurs, implementing encryption across all ePHI systems to leverage the safe harbor provision, maintaining current risk analyses and documentation, ensuring all business associate agreements include proper breach notification provisions, and securing cyber insurance with adequate breach response coverage. Petronella Technology Group, Inc. provides complete breach preparedness programs that ensure your organization is ready to respond effectively when an incident occurs.

HIPAA Breach NotificationAnd Response Services

Breach Response Services

Breach Risk Assessment

Forensic Investigation

Notification Management

Remediation and Prevention

Our Breach Response Process

Immediate containment and evidence preservation

Four-factor breach risk assessment

Forensic investigation to determine scope

Draft and send required notifications

HHS and state reporting filings

Remediation and HIPAA compliance hardening

Frequently Asked Questions

Prepare for and Respond to HIPAA Breaches