News and Resources

Breach Notification Rule: Are You Leaving Your Practice Open to Litigation or Other Negative Impacts?

Mar 10, 2021 | Resources

Is your practice keeping an eye on HIPAA breaches? If not, you could be leaving yourself open to investigation, litigation, and financial penalties for non-compliance.   

If you’re not watching for and reporting breaches, you can potentially cost your practice millions of dollars. Yes, I said millions, and that is only the financial penalty.  

In July 2020, Office for Civil Rights announced two settlements had been reached to resolve HIPAA violations 

Lifespan Health System Affiliated agreed to a settlement of $1,040,000.00 for multiple compliance failures from a 2017 breach report. Lifespan had not implemented encryption on portable devices that stored ePHI, even though they were aware of the risk of exposure.   

One stolen laptop later resulted in the impermissible disclosure of 20,431 patients’ ePHI.  Another settlement of $25,000 was reached between Office for Civil Rights for a data breach involving Metropolitan Community Hospital.   

After investigation of a 2011 data breach of 1,263 patient records, OCR discovered longstanding, systemic noncompliance with the HIPAA Security Rule.  The smaller settlement was based on the small size of the health system.  If you are not safeguarding your HIPAA practices, they can potentially come back to haunt you years later.  

What do you need to know about the HIPAA rule? 

The HIPAA Rule, 45 CFR§§ 164.400-414 requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information.  

A breach is the disclosure of protected health information that compromises security or privacy.  The disclosure of PHI is considered a breach unless the covered entity or business associate demonstrates there is a low probability the PHI has indeed been compromised based on assessing the risk of the following factors: 

  1. Type of PHI. What was the extent of the PHI disclosed, identifiers and the probability of re-identification?  
  2. Who? The unauthorized person to which the disclosure was made. 
  3. Was it viewed? Was the PHI acquired or viewed by the unauthorized person? 
  4. The extent to which the risk to PHI has been mitigated.  

What happens if it’s determined there was a breach? 

If after assessment the result is a breach, there are important notice requirements. These requirements depend upon whether the breach affects fewer than 500 individuals or 500 or more individuals.

Fewer than 500 Individuals

Where fewer than 500 individuals are affected, the covered entity must take a few steps. First, the covered entity must provide notification of the breach to the affected individuals. This is done in written form by first class mail or by e-mail if the affected individuals have previously agreed to receive these notices electronically.  If the covered entity has out-of-date contact information for 10 or more of these individuals, it must provide notice either by posting a notice on the home page of their website for 90 days or by providing the required notice in local major print or news media. A toll-free number must be available for individuals to call with questions or concerns. These notifications must be provided no later than 60 days following the discovery of the breach and must include:

  1. The extent of the breach
  2. A brief description of the breach
  3. A description of types of information involved in the breach
  4. The steps affected individuals should take to protect themselves from potential harm
  5. A description of what the covered entity is doing to investigate, mitigate harm and prevent further breaches.

In addition, the notification must be sent to the HHS Secretary by visiting the HHS website and filling out an electronic breach report form. These notifications must be provided no later than 60 days following the end of the calendar year when they occur. As a result, if you are not going to report them to HHS immediately, be sure to keep good records so that you can accurately report them early in the calendar year that follows.

500 or More Individuals

Where more than 500 individuals are affected, the requirements are a bit different. Here, the covered entity must provide notification of the breach to the affected individuals similar to the above. In addition, however, the covered entity must post an alert in a prominent media source serving the state in which the victims are located, also within 60 days.  As a third step, the covered entity must notify the HHS Secretary (by visiting the HHS website and filling out an electronic breach report form) no later than 60 days following the incident.

In either case, the covered entity must maintain documentation that all required notifications were made or alternatively, documentation to demonstrate that notification was not required per risk assessment.

Business Associates

Any Business Associate that discovers they have been responsible for a breach of PHI must notify the covered entity of the incident no later than 60 days after the discovery of the breach. Efforts should be made to identify the individuals affected as well as the data that was compromised in the incident.

What can you do to prepare? 

What can you do to protect yourself? Get a compliance plan together!  

Do it now internally or hire someone to do it for you.  A reputable company will know how to execute and monitor for years to come.   

Spend a couple of dollars now to save tens of thousands later.   


The Granite GRC Consulting team is standing by to help. Connect our team at to set up a consultation.  

This article has been provided for informational purposes only. A professional consultant can best provide you with guidance tailored to your company’s specific needs. This information is current as of the publication date listed. Because COVID-19 response measures on all fronts are continually evolving, clients should stay alert to new developments and contact a consultant with critical questions.