What is the Breach Rule?
A breach is unauthorized acquisition, access, use, or disclosure of PHI, which compromises the security or privacy of the information. Covered entities are responsible for breaches of their information and, before Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, their business associates’ information. After HITECH, the business associate became responsible and liability directly for a breach. This law also increased penalties for breaches, and defined levels of breaches and notification requirements for breaches.
If there is a PHI breach, providers and covered entities must notify the patient, the media (if the breach affects more than 500 residents of a state or smaller jurisdiction) and HHS (if breach affects more than 500 patients regardless of location). Business associates, or others who conduct business with the covered entity involved in the breach, must also provide notice to covered entities no later than 60 days after the discovery of the unsecured PHI breach.
The date a breach is discovered is extremely important in determining penalties and reporting requirements. The discovery date triggers the 60-day notice requirement.
If the covered entity handles the breach well and promises to amend its compliance plan, fines are less painful or nonexistent. If they don’t, it can be as much as $10,000 per record, plus federal management of the entity’s compliance plan for a couple of years, at least.