Breach of ePHI Requirements for Covered Entities and Business Associates

Breach Notification Requirements

When a breach is presumed

Under the HIPAA breach notification rule, a breach of ePHI is presumed unless you can demonstrate a low probability that the information was compromised. You assess this by evaluating what data was involved, who received it, whether it was actually viewed, and how effectively you mitigated the incident.

Who must be notified and when

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For incidents affecting 500 or more residents of a state or jurisdiction, you also notify prominent media and report to HHS; smaller events are logged and reported annually. Law enforcement may request a delay when notification would impede an investigation.

Content and method of notice

Notices to individuals explain what happened, what types of ePHI were involved, steps they can take to protect themselves, and the measures you are taking to investigate and prevent recurrence. Provide clear contact information. Use first-class mail or email when the individual has agreed to electronic notice, with substitute notice if contact information is insufficient.

Business Associate Obligations

Reporting and coordination duties

A business associate must notify its covered entity of breaches of unsecured electronic protected health information without unreasonable delay and no later than 60 days from discovery. The report should include the identities of affected individuals, the nature of the data, the circumstances of disclosure, and mitigation undertaken.

Business associate agreement requirements

Your business associate agreement must spell out breach reporting timelines, security incident procedures, permitted uses and disclosures, and downstream obligations for subcontractors. It should also clarify roles for investigation, individual notification drafting, and media or HHS reporting.

Agency and discovery considerations

If a business associate acts as the covered entity’s agent, discovery by the associate can be imputed to the covered entity. Agreements should address agency status and escalation triggers to avoid delays or disputes over the discovery date.

Encryption Safe Harbor

When notification is not required

Breach notification is generally not required when ePHI is properly encrypted consistent with HHS encryption standards guidance and the decryption key was not compromised. In this safe harbor, the data is considered unreadable, unusable, or indecipherable to unauthorized persons.

Limits of the safe harbor

The safe harbor does not apply if encryption is misconfigured, weak, or the key is exposed. Lost encrypted devices with keys stored on the same device, or encrypted files sent alongside passwords, typically do not qualify. Confirm that encryption protects data at rest and in transit.

Risk Analysis and Management

Four-factor breach risk assessment

Document a structured assessment of: the nature and extent of ePHI involved; the unauthorized person who used or received it; whether the data was actually acquired or viewed; and the extent of mitigation. If the analysis shows a low probability of compromise, notification may not be required.

Embedding a risk management framework

Integrate findings into a risk management framework that prioritizes controls, timelines, and ownership. Align technical safeguards, workforce training, vendor oversight, and monitoring to reduce likelihood and impact of future events.

Security Incident Response

Security incident procedures

Maintain tested security incident procedures that cover detection, triage, containment, forensic investigation, eradication, and recovery. Define decision points for declaring a breach, engaging counsel, notifying individuals, and coordinating with law enforcement or regulators.

Operational readiness

Keep current contact trees, breach templates, and evidence handling protocols. Run periodic tabletop exercises with covered entities and business associates to validate roles, timing, and handoffs during high-pressure events.

Documentation Retention

What to keep and for how long

Retain policies, procedures, training records, risk analyses, risk management plans, business associate agreements, incident logs, breach assessments, and copies of notifications. Maintain documentation for at least six years from the date of creation or last effective date, whichever is later.

Defensibility and audit readiness

Your files should show how you applied the breach risk assessment, why you concluded notification was or was not required, and the timing and content of all notices. Clear documentation supports compliance reviews and reduces enforcement exposure.

Enforcement and Penalties

OCR investigations and outcomes

HHS OCR investigates complaints and reported breaches, evaluating safeguards, response, and cooperation. Resolutions can include voluntary corrective action, resolution agreements with monitoring, or civil monetary penalties for violations of the HIPAA Rules.

HIPAA civil and criminal penalties

Civil penalties follow a tiered structure tied to the level of culpability, with per-violation amounts and annual caps that are adjusted over time. Willful neglect not corrected carries the highest exposure. The Department of Justice may pursue criminal cases for intentional wrongful disclosures or misuse of ePHI, which can lead to fines and imprisonment.

Key takeaways

Timely, well-documented action under the HIPAA breach notification rule, strong encryption, a living risk management framework, and disciplined incident response significantly reduce risk. Robust contracts and vendor oversight further limit exposure and support defensibility.

FAQs.

What is the timeframe for notifying individuals after a breach of ePHI?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering the breach. If law enforcement determines notice would impede an investigation, you may delay until the restriction lifts.

How must business associates report breaches of unsecured ePHI?

Business associates must report to the covered entity without unreasonable delay and no later than 60 days from discovery, providing the known identities of affected individuals, a description of the incident and ePHI involved, the discovery and occurrence dates, and mitigation steps. Subcontractors must notify the upstream associate promptly.

When is breach notification not required due to encryption?

Notification is typically not required when the compromised data was secured consistent with HHS encryption standards guidance and the decryption key was not accessed or disclosed. If keys are exposed or encryption is weak or misapplied, the safe harbor does not apply.

What penalties apply for non-compliance with breach notification requirements?

Non-compliance can result in OCR enforcement actions ranging from corrective action plans to tiered civil monetary penalties, depending on culpability and corrective efforts. Intentional wrongful disclosures may trigger criminal prosecution, leading to fines and potential imprisonment.