Data Protection, Backup, and Recovery

What to Do in the Event of a HIPAA Breach

Data Breach Banner

Data breaches are bad. Whether the breach is small or just over 500 records, HIPAA law is clear; the breach must be reported. A breach is generally defined as an impermissible use or disclosure that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
  2. The unauthorized person who used the protected health information or to whom the disclosure was made.
  3. Whether the protected health information was actually acquired or viewed.
  4. The extent to which the risk to the protected health information has been mitigated.

How Often Do Breaches Occur

Cyberattacks on healthcare providers are on the rise. According to a recent Trustwave report, healthcare records are worth more than a credit card number or Social Security number on the black market — $250 per record vs. $5.40 for a number. This makes the healthcare industry a prime target for cyberattacks.

The healthcare industry experiences more data breaches than any other industry in the United States. It accounts for more than 24% of all breaches in 2017.

According to the HIPAA Journal, between 2009 and 2018, there were 2,546 healthcare data breaches involving more than 500 records. Those breaches resulted in the theft/exposure of 189,945,874 healthcare records. That equates to more than 59% of the population of the United States. Healthcare data breaches are now being reported at a rate of more than once per day.

What to Do if You Think You Have a Breach

What to Do If a Breach Is Discovered

Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. There are strict breach notification rules they must follow.

Breach Notification “The Rule”

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third-party service providers, according to section 13407 of the HITECH Act.

Breach Notification Requirements

Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.         

Individual Notice

Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. 

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery. 

Media Notice

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.  

Notice to the Secretary

In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site. 


The HIPAA Breach Notification Rule states that if you are aware of a breach of more than 500 records, it must be reported. If you have experienced a breach, you can report it online at We recommend that you also contact someone with expertise in this area to consult with regarding the next steps. 

Free Trial Banner

Did You Know…

Central Data Storage can help in the prevention of a breach, whether it is a server crash or a ransomware attack. We provide a plan to back up and recover your practices’ mission-critical data, and there are no additional charges for recovery.

Want to learn more about disaster recovery? Our expert support team wants to hear from you! Just call 1-888-907-1227 or email

A penny for your thoughts...

This site uses Akismet to reduce spam. Learn how your comment data is processed.