As an employer, you are required to safeguard employees’ protected health information (PHI). This is especially true if you sponsor a group health plan or work with health-related data.
Under the Health Insurance Portability and Accountability Act (HIPAA), a breach occurs when PHI is acquired, accessed, used, or disclosed in a manner not permitted by the Privacy Rule, and that compromises the security or privacy of the PHI. The Privacy Rule provides federal protections for PHI, gives patients rights over their information, and sets rules and limits on who can access and receive their information. HIPPA’s definition of a breach includes some exceptions, but any impermissible use or disclosure of PHI is presumed to be a breach unless a formal risk assessment demonstrates a low probability that it was compromised.
The importance of a business associate agreement
Employers working with third-party vendors who handle PHI must ensure they have a business associate agreement (BAA) in place. A BAA outlines each party’s responsibilities regarding PHI, including security measures, permitted uses and breach notification obligations. If a business associate causes a breach, the terms of the BAA will govern who is responsible for notifying affected individuals and regulatory bodies. Without a BAA, you could be held liable for breaches caused by vendors.
Conducting a risk assessment
To determine whether an incident constitutes a breach that requires notification, HIPAA requires a four-factor risk assessment:
Nature and extent of PHI involved
Assess whether the disclosed PHI includes sensitive data, such as financial details (e.g., credit card numbers) or clinical information (e.g., medical diagnoses). The more detailed or identifiable the information, the greater the risk.
The unauthorized person receiving the PHI
Consider whether the recipient has an obligation to protect PHI (e.g., a health care provider or business associate). If the PHI was shared internally within an organization covered by HIPAA, the risk may be lower than if it was disclosed to an external party.
Actual acquisition or viewing of PHI
Determine whether the PHI was merely exposed, or actually viewed or acquired by an unauthorized individual. For example, if a lost laptop containing PHI is recovered and a forensic analysis confirms the data was not accessed, the risk of a breach is significantly reduced.
Mitigation efforts
Assess whether the recipient has taken verifiable steps to mitigate the breach, such as giving assurances that all copies of PHI will be destroyed or returned without further use or disclosure.
Breach notification requirements
If the risk assessment concludes that a breach has occurred, the responsible party must notify affected individuals. The notification must be prompt. It must include details about what happened, the information involved and the steps individuals should take to protect themselves.
Deadlines and responsibilities should be outlined in the respective BAAs or as part of the covered entity’s HIPAA breach notification policy.
Takeaways for employers
- Establish clear policies and training for handling PHI to prevent breaches.
- Conduct risk assessments for any potential PHI exposures to determine notification obligations.
- If a breach occurs, act quickly to notify affected individuals and mitigate risks.
By understanding HIPAA’s breach requirements, individuals handling PHI can better protect employee privacy and minimize security risks.
This content is for informational purposes only, should not be considered professional, financial, medical or legal advice, and no representations or warranties are made regarding its accuracy, timeliness or currency. With all information, consult with appropriate licensed professionals to determine if implementing any recommendations would be in accordance with applicable laws and regulations or to obtain advice with respect to any particular issue or problem.
Copyright © 2025 Applied Systems, Inc. All rights reserved.