Benefits Law Update
        Practical advice from Verrill attorneys

        HIPAA Breach Notification – Part II (Determining Whether a Breach Has Occurred)

        by Eric D. Altholz on March 4, 2010

        In a previous post we provided a brief overview of the new privacy breach notification requirements under HIPAA (as amended by the HITECH Act), as they relate to employer-sponsored group health plans. This post will focus on determining whether a privacy breach has occurred, including the exceptions and the all important risk assessment.

        The determination of whether a privacy breach has occurred and notification is required involves a three step process: (1) a threshold investigation as to whether an unauthorized acquisition, access, use or disclosure of unsecured PHI has occurred; (2) a determination as to whether an exception could apply to completely mitigate the breach; and (3) a judgment regarding the nature of the breach and the likelihood that the individual whose PHI was breached will suffer some kind of significant harm. As noted in the earlier post, the term “unsecured PHI” means PHI that is not encrypted or otherwise rendered unintelligible or unusable. Since very few employers have both the ability and the inclination to meet the high standards for security set by HHS, we will assume that the PHI involved is unsecured.

        Step 1: Threshold Investigation. The first step is to determine whether in fact unsecured PHI was accessed, used or obtained by someone who was not authorized to see or use it or whether it was disclosed to someone who was not authorized to see or use it. The potential breach could take any number of forms – a paper file or report containing PHI left in the company cafeteria, a laptop containing PHI files accidentally left on a train or some other public place, an e-mail containing PHI sent to the wrong address, an EOB sent to the wrong address, a person from the legal department accidentally receiving an employee’s PHI file attached to the employee’s personnel file. Any of those circumstances would rise to the level of a potential breach and trigger the next step in the process.

        Step Two: Availability of an Exception. Three types of impermissible use or disclosure of PHI are not considered breaches: (1) an unintentional access or use of PHI by someone who generally has authority to work with PHI, so long as the access or use was made in good faith, within the scope of authority and does not result in a further use or disclosure of the PHI in an impermissible manner; (2) an inadvertent disclosure by a person who is authorized to access the PHI, so long as the information received as a result of the disclosure is not further used or disclosed in an impermissible manner; and (3) a disclosure of PHI where the plan has a good faith belief that an unauthorized person to whom the disclosure was made would not have been able to retain such information. Therefore, for example, if the person from legal had authority to work with PHI (under the company’s HIPAA policies), the inadvertent transmission of an employee’s PHI to her would not be problematic. Similarly, an e-mail containing PHI about Employee B that was sent to an authorized business associate who was supposed to receive PHI about Employee A should not create a breach. (In each of those cases, of course, the recipient should ensure that the PHI is immediately returned without further use.) If the plan reasonably determines that one of the foregoing exceptions applies, the plan may appropriately determine that a breach has not occurred.

        Step Three: Risk of Harm Assessment. Finally, even if the access, use or disclosure of unsecured PHI cannot qualify for any exception, the regulations provide one last opportunity to nullify the breach and avoid providing the notice. In short, a breach won’t “count” if it does not pose a significant risk of financial, reputational or other harm to the person involved. In making this risk assessment, the plan may take into account: (1) the type of PHI involved; (2) the actions taken to mitigate the potential harm resulting from the breach, and the timeliness of such actions; and (3) the likelihood of financial, reputational or other harm resulting to the individual. Take the case of the forgotten laptop. If the owner of the laptop recovers the laptop within a very short period of time and can confirm that no one accessed any files, the likelihood of any harm having occurred would be minimal or non-existent. (Of course, the laptop and all PHI files were password protected as required under the company’s HIPAA privacy policies.) If the laptop is not recovered, however, there is probably at least some risk of harm (even with the password protections.) In that case, one would have to ask what kind of health information the files contained. (See our prior post’s example of a misdirected EOB.) If the plan reasonably determines that no significant risk of harm to the individual could result from the access, use or disclosure of unsecured PHI, the plan may appropriately determine that a breach has not occurred.

        Two final items to note. First, all these requirements apply to “business associates” (i.e., plan service providers who are authorized to work with PHI). Second, like other HIPAA privacy requirements, the breach notification regulations require a plan to document its policies and procedures in order to demonstrate compliance. We recommend simply adding a section on breach notification to your existing set of HIPAA privacy and security policies, though many of our clients opted to simply restate their entire policy manuals. (You do have written HIPAA privacy policies, right?)

        Benefits Law Update

        Verrill’s Benefits Law Update blog delivers timely insights and practical guidance on the ever-evolving landscape of employee benefits and executive compensation. Our blog provides up-to-date analysis and commentary on a wide range of topics, including timely updates on developments in law affecting employee benefit plans and executive compensation arrangements.

        Key Contacts

        Subscribe

        Looking for more great content? Subscribe for regular legal updates and information delivered right to your inbox.

        Firm Highlights

        Alerts and Newsletters

        Maine’s New Employer Surveillance Law, 26 M.R.S. § 620-A

        Effective July 14, 2026 Maine employers that electronically monitor employees must comply with a new disclosure law effective July 14, 2026. Under...
        Press Releases

        Verrill Recognized by U.S. News as One of the Best Law Firms to Work for in 2026

        BOSTON, Mass., BANGOR and PORTLAND, Maine, GREENWICH and WESTPORT, Conn., – Verrill has been featured on U.S. News’ 2026 Best Companies to Work...
        Blog

        SECURE 2.0 Roth Catch-Up Rules and the 403(b) 15-Year Catch-Up: What Tax-Exempt Employers Need to Know

        Tax-exempt employers whose 403(b) plans offer catch-up contributions for participants age 50 and above should be well on their way to compliance with...
        Media Mentions

        Robert Keach Quoted in Law360 on SIMAD Summer Camp Bankruptcy Sale

        Verrill attorney Robert Keach was recently quoted in a Law360 article examining the Chapter 11 bankruptcy proceedings involving SIMAD Holdings and...
        Media Mentions

        Chris Tsouros Featured in Law360’s Coverage of Sports Real Estate Deals

        Verrill Partner Chris Tsouros was recently recognized in a Law360 article highlighting law firms involved in significant sports real estate projects...
        Blog

        What Maine’s New Employer Surveillance Law Means for Maine Employers

        Maine employers who monitor their workforce, whether through productivity software, GPS, call recording, or cameras, have a new compliance obligation...
        Blog

        Run Don’t Walk: The Implication of “While Supplies Last” Prize Promotions

        This month a big-chain grocery store has been offering daily mystery boxes during specific timed drops on a first-come, first-served basis, to users...
        Blog

        Maine’s Noncompete Statute is Reshaped for Health Care Workers: What You Need to Know

        Employers of individuals who are licensed under state law to perform, or provide, health care services in the State of Maine should be prepared for...
        Media Mentions

        Steven Davis Featured in the Environmental Business Journal

        Steven Davis, President of Verrill Strategic Consulting, was recently interviewed and featured in the Environmental Business Journal, Volume 39...
        Blog

        What is a Bonus for Purposes of ERISA?

        An ongoing dispute about a Department of Labor advisory opinion published last September raises a basic but unanswered question under the ERISA: What...
        Media Mentions

        Verrill Recognized by WMTW for Partnership Supporting Hunger Relief in Maine

        Verrill was recently featured in coverage by WMTW News 8 for its role in a collaborative effort to combat food insecurity across southern...
        Press Releases

        33 Verrill Attorneys, Across Four Offices, Recognized in the 2026 Chambers USA Guide

        BOSTON, Massachusetts, PORTLAND, Maine, WESTPORT, Connecticut, and WASHINGTON, D.C. – Verrill has been recognized as a Leading Firm in 14...