Legal Alert: HIPAA and Breaches of Protected Health Information

James W. (Jay) Thweatt, III

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a federal law that is designed to protect the security and ensure the confidentiality of individually identifiable health information (protected health information or “PHI”) that is maintained or transmitted by a covered entity.  For this purpose, a “covered entity” includes not only health care providers, but also health plans (including self-insured health plans) and health care clearinghouses. 

In addition, as a result of recent amendments to HIPAA, a “business associate” of a covered entity is also directly subject to these requirements. Basically, a “business associate” includes any entity that performs a function or activity on behalf of a covered entity, and, in performing that function or activity, creates, receives, maintains, or transmits PHI. For a self-insured health plan, this could include service providers that provide actuarial, accounting, consulting, administrative (i.e., a “third-party administrator”), or data transmission services. So, the application of HIPAA’s privacy and security rules are far-reaching and not limited to health care providers.

When PHI is transmitted or maintained in electronic form, HIPAA also requires covered entities (and their business associates) to implement reasonable and appropriate safeguards to protect that information, regardless of where that information resides or how it is accessed. Moreover, if PHI is breached, HIPAA requires covered entities to follow certain disclosure protocols.

Over the last few years, there have been several high-profile alleged breaches of PHI potentially impacting millions of individuals, the most recent of which involves customers of Anthem. Depending on the nature of the breach, this may require notification to affected individuals, and potentially, the U.S. Department of Health and Human Services (“HHS”) and local media outlets.  In addition, nearly all states have some form of data breach notification law that may apply when there is a breach of PHI.

With respect to self-insured health plans, it is important to recognize that PHI is rarely limited to the health plan itself. Instead, a number of business associates routinely assist with business functions on behalf of the health plan. When providing these services, these entities may also have access to PHI. If so, HIPAA requires the health plan to enter into business associate agreements with those service providers that have access to PHI.  In general, these business associate agreements must provide that the business associates will comply with all of the applicable privacy and security requirements under HIPAA (and impose the same compliance obligations on any subcontractors of a business associate that help with plan-related business functions).

As noted above, HIPAA requires covered entities to comply with privacy and security rules with respect to PHI. If there is a breach or violation of HIPAA, the covered entity is responsible for complying with detailed breach notification rules. This is true regardless of whether the breach is caused by the covered entity or by one if its business associates. Technically, HIPAA requires a business associate to notify the covered entity of a breach within 60 days of discovery of a breach, and the covered entity is then responsible for any subsequent notice requirements to affected individuals, HHS, or the media.

However, it is worth noting that there is nothing in HIPAA that would preclude a health plan from delegating this responsibility to the business associate in the business associate agreement. In fact, the allocation of respective obligations in the event of a breach by the business associate should be directly addressed in the business associate agreement between the parties.

For disclosure purposes, a “breach” arises anytime there is an acquisition, use, or disclosure of PHI in a manner that is not permitted by HIPAA’s privacy and security rules that has compromised the privacy or security of PHI. If an unauthorized use or disclosure meets these requirements, a covered entity must report the breach to affected individuals (and HHS and the media, if applicable), unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised. When making this determination, the covered entity must consider the following: (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the unauthorized disclosure was made: (3) whether PHI was actually acquired or viewed; and (4) the extent to which the unauthorized use or disclosure has been mitigated.

If the covered entity determines that a reportable breach has occurred, it must notify any affected individuals whose PHI is at issue no later than 60 days after the discovery of the breach. The HIPAA breach notification rules contain specific content requirements for this notification. In addition, notice must be provided to HHS within 60 days of the breach if it involves more than 500 individuals. If the breach involves less than 500 individuals, the covered entity must log the incident and file a breach log with HHS annually by March 1.  Lastly, a covered entity must notify the local media if the breach involves more than 500 residents in a specific state.

In terms of high-level takeaways, if a breach is being reported by a business associate (e.g., by Anthem when it is acting as a third-party administrator for a self-insured health plan), the covered entity should review its business associate agreement in order to determine which party is contractually responsible for breach notification reporting. In addition, a covered entity should prepare a checklist of all the relevant notifications being prepared and monitor all of the ongoing steps to address the breach. 

Should you have any questions or need assistance, please contact Jay Thweatt at (513) 579-6598 or

KMK Legal Alerts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation.  Please consult with counsel of your choice regarding any specific questions you may have.


©2015 Keating Muething & Klekamp PLL.  All Rights Reserved. 

Related Practices

Jump to Page