Exceptions to HIPAA Breach Notification Rules include situations where the unauthorized person who accessed the protected health information (PHI) could not retain it, disclosures were made in good faith and within the scope of authority to a person or entity who would not use or further disclose the information, or the PHI was rendered unreadable, unusable, or indecipherable to unauthorized individuals through methods such as encryption.
Good Faith, Unintentional Access
An exception to the HIPAA Breach Notification Rule occurs when protected health information (PHI) is accessed or disclosed unintentionally by an employee or individual acting under the authority of a covered entity or business associate. This exception applies when the access is made in good faith, within the scope of the individual’s professional responsibilities, and without further misuse or disclosure of the information. For example, if an employee inadvertently views a patient’s record while attempting to access another file but does not share or misuse the information, this would not be considered a reportable breach under the HIPAA rules.
Good Faith Disclosure to Authorized Individuals
Another exception involves disclosures of PHI made in good faith to individuals authorized to receive such information. If the disclosure is made within the scope of professional authority and no further unauthorized use or disclosure occurs, the incident does not constitute a breach requiring notification. For instance, if a healthcare provider shares PHI with another staff member who is authorized to access the information but inadvertently includes an additional piece of data, this disclosure does not trigger notification requirements as long as the information remains secure.
Information Rendered Unusable or Indecipherable
A breach notification is not required when PHI has been rendered unreadable, unusable, or indecipherable to unauthorized individuals through methods such as encryption. If encrypted data is accessed or stolen but the encryption key remains secure and uncompromised, the incident does not qualify as a reportable breach. This exception underscores the importance of using encryption and other technical safeguards to protect electronic PHI. For example, if a laptop containing encrypted patient data is lost but cannot be accessed without the decryption key, this would not be classified as a breach requiring notification.
Inability to Retain Information
When unauthorized individuals access PHI but are unable to retain or further use the information, the situation is exempt from breach notification requirements. This can occur in cases where PHI is accidentally sent to the wrong recipient but is promptly deleted or returned without being copied or retained. For example, if an email containing PHI is sent to the wrong person but the sender quickly notifies the recipient, who then deletes the email without reading or saving the information, the breach notification requirement does not apply.