HIPAA addresses data breaches by defining when an impermissible use or disclosure of protected health information becomes a breach, requiring a documented breach risk assessment for unsecured protected health information, and imposing notification, reporting, and recordkeeping duties under the HIPAA Breach Notification Rule for HIPAA Covered Entities and Business Associates.
A breach under the HIPAA Breach Notification Rule is an impermissible use or disclosure of protected health information that compromises the security or privacy of the information, subject to specified exceptions. When protected health information is unsecured, meaning it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through approved methods, the HIPAA Covered Entity or Business Associate must evaluate whether the incident meets the breach definition. The evaluation uses a risk assessment that considers the nature and extent of the protected health information involved, the unauthorized person who used or received it, whether the protected health information was actually acquired or viewed, and the extent to which the risk has been mitigated.
When notification is required, the HIPAA Breach Notification Rule sets content, timing, and delivery standards. Affected individuals must be notified without unreasonable delay and no later than 60 calendar days after discovery of the breach. The notice must describe what happened, the types of information involved, steps individuals should take to protect themselves, what the organization is doing to investigate and reduce harm, and contact procedures for questions. A HIPAA Covered Entity must also notify the U.S. Department of Health and Human Services using the required reporting process, with timing based on the number of affected individuals. Breaches affecting 500 or more residents of a state or jurisdiction require notice to prominent media outlets serving that area.
HIPAA also assigns breach related duties in business associate relationships. A Business Associate that discovers a breach of unsecured protected health information must notify the HIPAA Covered Entity without unreasonable delay and no later than 60 calendar days after discovery, and must provide available information needed for the Covered Entity to meet its notification and reporting obligations. The HIPAA Security Rule supports breach prevention by requiring safeguards for electronic protected health information, including risk analysis, risk management, access controls, audit controls, integrity controls, person or entity authentication, transmission security, and workforce security measures, with policies, procedures, training, and documentation retained for the required period. Noncompliance can trigger investigations, corrective action obligations, civil money penalties, and resolution agreements through federal enforcement processes.