What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.
There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
Unsecured Protected Health Information and Guidance
Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.
This guidance was first issued in April 2009 with a request for public comment. The guidance was reissued after consideration of public comment received and specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Additionally, the guidance also applies to unsecured personal health record identifiable health information under the FTC regulations. Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance are relieved from providing notifications following the breach of such information.
Breach Notification Requirements
Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
Notice to the Secretary
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.
Notification by a Business Associate
If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.
Administrative Requirements and Burden of Proof
Covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. Thus, with respect to an impermissible use or disclosure, a covered entity (or business associate) should maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required: (1) its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure; or (2) the application of any other exceptions to the definition of “breach.”
Covered entities are also required to comply with certain administrative requirements with respect to breach notification. For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.
Instructions for Covered Entities to Submit Breach Notifications to the Secretary
View Breaches Affecting 500 or More Individuals
Breaches of Unsecured Protected Health Information affecting 500 or more individuals. View a list of these breaches.
HIPAA violation and penalties
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).
The HIPAA violation penalty structure is tiered according to the cause of the incident and the actions taken to remedy it. In cases of willful neglect, fines are much higher than those incidents that covered entities and business associates would not have known about by exercising reasonable diligence.
Failure to comply with HIPAA requirements can result in civil and criminal penalties. These civil and criminal penalties can apply to both covered entities and individuals.
Section 13410(D) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act by establishing:
- Four categories of violations that reflect increasing levels of culpability
- Four corresponding tiers of penalties that significantly increase the minimum penalty amount for each violation
- A maximum penalty amount of $1.5 million for all violations of an identical provision
A single incident might result in multiple violations. If, for example, the records of 500 individuals were lost in once incident, that would count as 500 violations.
- CMPs for HIPAA violations range from fines of $100 per violation (with an annual maximum of $25,000 for repeat violations) to fines of $50,000 per violation (with an annual maximum of $1.5 million).
- Criminal penalties range from fines of $50,000 and one year’s imprisonment to fines of $250,000 and ten years’ imprisonment.
What Happens HIPAA is Violated? – Classification of HIPAA Violations
What happens when you violate HIPAA? The answer to this depends of the severity of the breach that occurred. OCR prefers to settle HIPAA violations using non-punitive actions; however, if the violations are serious, have been permitted to go on for a long time, or if there are multiple areas of noncompliance, financial sanctions may be deemed necessary. There four categories of HIPAA violations, each of which has a different penalty structure. With unknown violations, where the covered entity could not have been expected to prevent a data breach, it may seem unreasonable for financial penalties to be issued. OCR accepts this, and has the discretion to decide not to issue a penalty. The penalty cannot be waived if the violation involved deliberate neglect of the HIPAA Privacy, Security and Breach Notification Rules.
Structure of HIPAA Violation Penalties
Each category of HIPAA violation carries a different HIPAA penalty range. It is up to OCR to determine a financial penalty within that range. OCR considers a number of factors when calculating penalties, such as the duration of time a violation was allowed to continue, the number of people affected and the nature of the data exposed, the harm caused as a result of the violation, and previous compliance history. An organization’s willingness to help with an OCR investigation is also taken into account as is the ability to pay a fine.
A data breach or security incident that occurs due to any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, possibly, be issued for any violation of HIPAA rules; however small.
A HIPAA fine may also be issued on a daily basis. For example, if a covered body has been denying patients the right to access copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the covered body has been in violation of the law. The penalty would be multiplied by 365, not by the number of patients that have been denied access to their medical records.
The HIPAA penalty fines are issued per violation, although there are caps on the total fines for violations of the same provision. The financial penalties for HIPAA were increased by the HITECH Act to act as a more powerful deterrent and to encourage covered entities to deterrent and the maximum annual penalty for violations of the same provision was capped at $1.5 million across all four penalty tiers. On April 28, 2019, the HHS announced that it had reviewed the HITECH Act and reinterpreted the maximum annual penalties and reduced the maximum annual penalty in three of the four penalty tiers. This will be addressed in further rulemaking, but the HHS will be using the penalty structure below until further notice.
HIPAA Violation Fines Can Also Be Issued by State Attorneys General
Since the HITECH Act (Section 13410(e) (1)) became effective in February 2009, state attorneys general have had the power to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents and initiate civil actions over those violations. HIPAA violation fines can be applied up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.
A covered entity suffering a data breach affecting residents of multiple states may be ordered to pay a HIPAA violation penalty fines to attorneys general in multiple states. At present only a small number of U.S states have so far taken legal action against HIPAA offenders, but since attorneys general are able to keep a percentage of the fines issued, more attorneys general may decide to fine covered entities in the future. The number of states issuing fines for HIPAA violations is increasing.
Criminal Penalties for HIPAA Violations
Along with civil financial penalties for HIPAA violations, criminal charges can be filed against the persons responsible for violations of HIPAA Rules. Criminal penalties for HIPAA violations are split into three separate tiers, with the term – and an accompanying fine – decided by a judge based on the facts of each single case. Criminal penalties are handled by the Department of Justice.
As with OCR, a number of general factors are taken into account which influence the fines and jail term. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be given back, in addition to the payment of a HIPAA violation penalty fine, up to a maximum of $250,000.
The different tiers for HIPAA criminal penalties are:
Tier 1: Reasonable cause or no knowledge of violation – a maximum of 1 year in jail
Tier 2: Obtaining PHI under false pretenses – a maximum of 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – a maximum of 10 years in jail
In the last few years, the number of employees found to be accessing or stealing PHI – for various reasons – has risen. The value of PHI on the black market is high, and this can be a big temptation for some people. It is therefore vital that security controls are put in place to limit the potential for individuals to steal patient data, and for systems and policies to be implemented to ensure improper access and theft of PHI is identified quickly.
All staff members that may come into contact with PHI as part of their work duties should be made aware of the HIPAA criminal penalties and that violations of HIPAA may not just result in termination.
Civil Penalties for Unknowingly Violating HIPAA
Although it was referred to above that OCR has the discretion to waive a civil penalty for unknowingly breaching HIPAA, ignorance of HIPAA regulations is not thought of as a justifiable excuse for not implementing the appropriate safeguards. In April 2017, the remote cardiac monitoring service CardioNet was fined $2.5 million for not fully understanding HIPAA requirements and subsequently failing to complete a thorough risk assessment.
Due to the incomplete risk assessment, the PHI of 1,391 individuals was potentially impermissibly disclosed when a laptop containing PHI was stolen from a car parked outside an employee’s home. Speaking after details of the fine had been revealed, OCR Director Roger Severino described the civil penalty for unknowingly violating HIPAA as a penalty for not considering security protections.
There is also potential for a CE or BA to receive a civil penalty for unknowingly breaching HIPAA if the state in which the violation happens allows citizens to bring legal action against the person(s) or entity responsible for the violation. Although HIPAA lacks a private cause of action, people can still use the regulations to establish duty of care under common law.
Penalties for HIPAA Violations May Be Issued for HIPAA Compliance Audit Failures
If a CE or BA is found not to have adhered to HIPAA regulations, OCR has the authority to issue penalties for HIPAA noncompliance even if there has been no breach of PHI or no complaint filed.
After some delay, OCR has carried out the second phase of its HIPAA compliance audit program. The audits were not carried out specifically to find HIPAA violations and to issue financial penalties, although if serious breaches of HIPAA Rules are found, financial penalties may be deemed necessary.
The first phase of HIPAA compliance audits was finished in 2012 and showed many covered entities were having difficulties with compliance. OCR gave technical assistance to help those entities address areas of noncompliance and no penalties for HIPAA violations were applied.
Five years on, HIPAA covered entities have had plenty of time to develop their compliance programs. OCR is not expected to be as lenient on this occasion.
One of the largest areas of noncompliance with HIPAA Rules found during the first phase of compliance audits was the failure to complete a comprehensive, organization-wide risk assessment.
The risk assessment is important for developing a good security posture. If a risk assessment is not completed, a covered entity will be unaware whether any security weaknesses exist that pose a risk to the confidentiality, integrity, and availability of ePHI. Those risks will therefore not be controlled and reduced to an acceptable level.
The failure to enter into Business Associate Agreements (BAAs) with third-party service providers can attract financial penalties for HIPAA noncompliance. Several covered entities have been fined for not revising BAAs written before September 2014, when all existing BAAs were made invalid by the Final Omnibus Rule. In September 2016, the Care New England Health System was issued with a fine for $400,000 for HIPAA noncompliance that included the failure to update a BAA originally completed in March 2005.
BAAs are a key area that OCR will be reviewing throughout its audit program. BAAs – contracts that lay out the allowable uses and allowable disclosures of PHI – should be signed with every third party with whom PHI is disclosed (including lawyers) to ensure they are made aware of their responsibilities with respect to HIPAA.
|Civil monetary penalties|
1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
2. The HIPAA violation had a reasonable cause and was not due to willful neglect. The covered entity should have been aware of but could not have prevented even with a reasonable amount of care.
$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period (within 30 days)
$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
4. The HIPAA violation was due to willful neglect and where no efforts have been made to correct the violation in a reasonable time frame
$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
|Tier||Potential jail sentence|
Unknowingly or with reasonable cause
|Up to one year|
|Under false pretenses||Up to five years|
For personal gain or malicious reasons
|Up to ten years|
Should you file a complaint?
OCR reviews all complaints it receives. According to the HHS website, in 2020 there were 27,182 complaints received vs 2013 which had 12,915. If a covered entity or business partner is found to have breached the Privacy or Security Rules, OCR will attempt to resolve the case by obtaining voluntary compliance, corrective action, and/or resolution agreement from the covered entity. If OCR is not satisfied with the resolution, it may decide to impose civil money penalties (CMPs) on the covered entity.
For information on the history of and details about each of the HIPAA Rules, please visit https://www.hhs.gov/hipaa/for-professionals/index.html and click on “Privacy,” “Security,” or “Breach Notification” from the left-hand tool-bar.
Enforcement Results as of January 31, 2022
Since the compliance date of the Privacy Rule in April 2003, OCR has received over 289,211 HIPAA complaints and has initiated over 1,106 compliance reviews. We have resolved ninety-six percent of these cases (278,146).
OCR has investigated and resolved over 29,398 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve. OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate. To date, OCR settled or imposed a civil money penalty in 106 cases resulting in a total dollar amount of $131,392,632.00. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
In another 13,618 cases, our investigations found no violation had occurred.
Additionally, in 50,202 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation.
In the rest of our completed cases (184,928), OCR determined that the complaint did not present an eligible case for enforcement. These include cases in which:
- OCR lacks jurisdiction under HIPAA. For example, in cases alleging a violation by an entity not covered by HIPAA;
- The complaint is untimely, or withdrawn by the filer; and
- The activity described does not violate the HIPAA Rules. For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure.
From the compliance date to the present, the compliance issues most often alleged in complaints are, compiled cumulatively, in order of frequency:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information; and
- Use or disclosure of more than the minimum necessary protected health information.
The most common types of covered entities that have been alleged to have committed violations are, in order of frequency:
- General Hospitals;
- Private Practices and Physicians;
- Outpatient Facilities;
- Pharmacies; and
- Community Health Centers.
OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rules. As of the date of this summary, OCR made 1,294 such referrals to DOJ.