A HIPAA breach is an acquisition, access, use, or disclosure of unsecured protected health information that is not permitted under the HIPAA Privacy Rule and that compromises the security or privacy of the protected health information under the HIPAA Breach Notification Rule standards. A breach can involve electronic, paper, or oral protected health information and can occur through misdirected disclosures, unauthorized access, loss or theft of records or devices, improper disposal, or system compromise that results in impermissible access to protected health information.
The HIPAA Breach Notification Rule applies a presumption that an impermissible acquisition, access, use, or disclosure of protected health information is a breach unless a documented risk assessment determines there is a low probability that the protected health information has been compromised. The required assessment evaluates the nature and extent of the protected health information involved, the unauthorized person who used the protected health information or to whom the disclosure was made, whether the protected health information was actually acquired or viewed, and the extent to which the risk to the protected health information has been mitigated. A reportable breach determination triggers notification duties to affected individuals and specified government entities, and in certain cases the media, within the timeframes set by regulation.
The HIPAA Breach Notification Rule includes limited exclusions from the definition of breach that apply when specific conditions are met. These exclusions address certain unintentional acquisitions, accesses, or uses by workforce members acting within the scope of authority, certain inadvertent disclosures between authorized persons within the same covered entity or business associate, and certain disclosures where the recipient could not reasonably have been able to retain the information. Determinations require fact-specific documentation, since an incident can still require internal reporting, mitigation, sanctions under workforce policies, and corrective actions even when notifications are not required.
HIPAA staff training supports breach prevention and response by establishing workforce understanding of HIPAA rules and regulations before internal policies and procedures are addressed. All workforce members must receive HIPAA training if they have access to PHI, including workforce members who create, receive, maintain, transmit, or otherwise handle protected health information in any format. HIPAA staff training should be provided during onboarding and reinforced through refreshers, with annual HIPAA training as industry best practice. Online training can be used to deliver comprehensive instruction on the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, with emphasis on recognizing impermissible disclosures, securing workstations and devices, using secure communication methods, and reporting suspected incidents through the organization’s internal pathway for evaluation. The HIPAA Journal Training is online, comprehensive, and suitable for onboarding and annual refresher training, and completion records support compliance oversight and audit documentation.