Benefits Law Update
        Practical advice from Verrill attorneys

        HIPAA Breach Notification – Part I (Overview)

        by Eric D. Altholz on February 18, 2010

        The privacy provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) are designed to close a gap in the health information privacy and security framework first established under HIPAA back in 2003. The original statute and the resulting U.S. Department of Health and Human Services (HHS) rules and regulations (45 C.F.R. Parts 160 to 164) required “covered entities” (including employer-sponsored group health plans) to ensure the privacy of an individual’s “protected health information” (PHI). But neither the original statute nor the HHS regulations expressly required a covered entity to notify an affected individual about a breach of his or her privacy. The HITECH Act and subsequent HHS regulations close that gap by instituting affirmative privacy breach notification requirements. The breach notification requirements became effective September 24, 2009, but enforcement activity was officially postponed until February 22, 2010. This post will offer some general thoughts about the HIPAA breach notification rules as they relate to employer-sponsored group health plans. Future posts will consider selected elements of the rules.

        The HIPAA breach notification rules require a group health plan to: (1) determine whether a “breach” of “unsecured PHI” has occurred with respect to any individual covered by the plan; (2) notify the affected individual regarding the breach; (3) notify HHS regarding the breach; and (4) if required, provide notice to news media with respect to the breach. The plan’s privacy official must apply a combination of objective analysis and subjective judgment in order to determine whether a breach occurred and whether any of the available exceptions could apply to effectively mitigate the breach. If a breach has occurred, the plan must notify the affected individual(s) “without unreasonable delay” and in no case later than 60 calendar days following the discovery of a breach.

        The term “breach” means the unauthorized acquisition, access, use or disclosure of unsecured PHI thatcompromises the security or privacy of such information and does not qualify for an exception. “Unsecured PHI” essentially means PHI that has not been encrypted or otherwise rendered indecipherable to unauthorized individuals using standards set by the Secretary of HHS. In our experience, very few employers will have both the capacity and the willingness to meet these standards.

        Importantly, the standard for the discovery of a breach is essentially a “knew or should have known” type of standard. Specifically, a breach is deemed to have become known to the plan as of the first day on which, by exercising reasonable diligence, the breach would have become known to the plan. Therefore, in order to comply with these requirements, an employer must adopt procedures that will facilitate the prompt identification of privacy breaches and allow for a fairly rapid response. Fortunately, the HHS regulations provide a very good road map for the preparation and administration of such procedures.

        One critical step in the analysis, and the one we find the most interesting, is the “risk assessment.” Under the HHS regulations, if a plan finds that a privacy breach did occur and that none of the available exceptions can apply, the plan must determine whether the disclosure of the PHI poses a significant risk of harm to the individual that is the subject of the breach. In making this determination the plan may take into account: (1) the type of PHI involved; (2) the actions taken to mitigate the potential harm resulting from the breach, and the timeliness of such actions; and (3) the likelihood of financial, reputational or other harm to the individual as a result of the breach. If the plan can reasonably determine that no significant risk of harm to the individual could result from the access, use or disclosure of unsecured PHI, the plan may appropriately determine that a breach has not occurred. It’s that last step in the analysis that is of most interest and calls for a very subjective judgment on the part of the plan. The clear suggestion is that not all PHI – even though it is worthy of protection – is created equal. Most would agree that a misdirected EOB (sent and delivered to the next door neighbor’s address) informing an individual that the costs of his expensive drug rehabilitation program will be paid for would pose a risk of significant “reputational harm.” But perhaps a misdirected EOB denying a claim for fancy orthotics (like the kind I use in my running shoes) wouldn’t be so bad. We may need to await enforcement activity or further guidance to know for sure.

        Benefits Law Update

        Verrill’s Benefits Law Update blog delivers timely insights and practical guidance on the ever-evolving landscape of employee benefits and executive compensation. Our blog provides up-to-date analysis and commentary on a wide range of topics, including timely updates on developments in law affecting employee benefit plans and executive compensation arrangements.

        Key Contacts

        Subscribe

        Looking for more great content? Subscribe for regular legal updates and information delivered right to your inbox.

        Firm Highlights

        Alerts and Newsletters

        Maine’s New Employer Surveillance Law, 26 M.R.S. § 620-A

        Effective July 14, 2026 Maine employers that electronically monitor employees must comply with a new disclosure law effective July 14, 2026. Under...
        Press Releases

        Verrill Recognized by U.S. News as One of the Best Law Firms to Work for in 2026

        BOSTON, Mass., BANGOR and PORTLAND, Maine, GREENWICH and WESTPORT, Conn., – Verrill has been featured on U.S. News’ 2026 Best Companies to Work...
        Blog

        SECURE 2.0 Roth Catch-Up Rules and the 403(b) 15-Year Catch-Up: What Tax-Exempt Employers Need to Know

        Tax-exempt employers whose 403(b) plans offer catch-up contributions for participants age 50 and above should be well on their way to compliance with...
        Media Mentions

        Robert Keach Quoted in Law360 on SIMAD Summer Camp Bankruptcy Sale

        Verrill attorney Robert Keach was recently quoted in a Law360 article examining the Chapter 11 bankruptcy proceedings involving SIMAD Holdings and...
        Media Mentions

        Chris Tsouros Featured in Law360’s Coverage of Sports Real Estate Deals

        Verrill Partner Chris Tsouros was recently recognized in a Law360 article highlighting law firms involved in significant sports real estate projects...
        Blog

        What Maine’s New Employer Surveillance Law Means for Maine Employers

        Maine employers who monitor their workforce, whether through productivity software, GPS, call recording, or cameras, have a new compliance obligation...
        Blog

        Run Don’t Walk: The Implication of “While Supplies Last” Prize Promotions

        This month a big-chain grocery store has been offering daily mystery boxes during specific timed drops on a first-come, first-served basis, to users...
        Blog

        Maine’s Noncompete Statute is Reshaped for Health Care Workers: What You Need to Know

        Employers of individuals who are licensed under state law to perform, or provide, health care services in the State of Maine should be prepared for...
        Media Mentions

        Steven Davis Featured in the Environmental Business Journal

        Steven Davis, President of Verrill Strategic Consulting, was recently interviewed and featured in the Environmental Business Journal, Volume 39...
        Blog

        What is a Bonus for Purposes of ERISA?

        An ongoing dispute about a Department of Labor advisory opinion published last September raises a basic but unanswered question under the ERISA: What...
        Media Mentions

        Verrill Recognized by WMTW for Partnership Supporting Hunger Relief in Maine

        Verrill was recently featured in coverage by WMTW News 8 for its role in a collaborative effort to combat food insecurity across southern...
        Press Releases

        33 Verrill Attorneys, Across Four Offices, Recognized in the 2026 Chambers USA Guide

        BOSTON, Massachusetts, PORTLAND, Maine, WESTPORT, Connecticut, and WASHINGTON, D.C. – Verrill has been recognized as a Leading Firm in 14...