Updated 2025: Looking for a Business Associate Agreement? Download our FREE template

TotalHIPAA Logo

Is it a breach, or not?

Summary:

This week we had an interesting question come in. One of our clients was copied by a general agent in a response to an application for health insurance. This message contained ePHI that wasn’t encrypted. Was it a breach? What does that mean for the agents? Does the client need to be notified? We passed […]

This week we had an interesting question come in. One of our clients was copied by a general agent in a response to an application for health insurance. This message contained ePHI that wasn’t encrypted. Was it a breach? What does that mean for the agents? Does the client need to be notified?

We passed this to David Smith for his thoughts, and here is his assessment:

I do not believe there was a breach for either agent in this situation.This is because the information that passed between the parties was between business associates, and therefore there is no requirement that agent that initiated the application notifies the client because this agency has done nothing to breach the HIPAA Privacy, Security or HITECH rules.

However, the general agency is clearly in violation of the HIPAA security requirements concerning encryption of ePHI. This is a very serious issue, and all PHI should be encrypted at rest, and in transit.

The general agency will need to document this violation, and will potentially need to sanction the offending agent. This could be a verbal warning, retraining, or suspension. While this was not malicious, it could still be a serious issue for the general agency. When issues like this arise, you need to act quickly to support your clients, and let people know when they have made mistakes. Remember, sanctions should be clearly notated in your Security Policies and Procedures, and it is important that you enforce them.

I do believe there is value in the initiating agency providing information to the client along the following lines:

  • A company I do business with violated the HIPAA Security requirements related to transmission of electronic health information as a business associate of various health insurance carriers.
  • They have assured me that this was a one-time mistake and that they have taken appropriate corrective action to prevent any future issue.
  • I am letting you know because of the seriousness with which I am taking the responsibility of maintaining the privacy and security of my clients’ information and to assure you that I will remain diligent about any future issues on your behalf.

The key here is letting your clients know if and when there is an issue, so they can be proactive in monitoring their personal information.

By Jason Karn

Google+

Total HIPAA specializes in HIPAA compliance services, helping businesses adhere to HIPAA guidelines and protect sensitive data. Our experts ensure your organization remains compliant with HIPAA regulations, meaning you can focus on your core operations while we handle documenting the policies and procedures that make up your HIPAA compliance plan. Trust Total HIPAA for comprehensive compliance solutions tailored to your needs. Book a clarity call today.

Sharing is caring!

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

Related Posts

Why do we need to test our Disaster Recovery Plan every year?

Why do we need to test our Disaster Recovery Plan every year?

Even if your internal software and servers remain perfectly static, the infrastructure, vendor updates, and cyber threats around them are constantly shifting. Waiting 2 or 3 years to test your backup systems leaves you vulnerable. This post breaks down the four external factors that degrade an untested playbook, explores HIPAA compliance mandates under NIST SP 800-66, and provides a granular, step-by-step example of what a compliant disaster recovery blueprint actually looks like.

How to Maintain HIPAA Compliance in Public Cloud Environments

How to Maintain HIPAA Compliance in Public Cloud Environments

Storing ePHI in the public cloud offers scalability but requires a strict “Shared Responsibility” approach. To remain HIPAA compliant, organizations must go beyond basic Business Associate Agreements (BAAs). The implementation of AES-256 encryption, multi-factor authentication (MFA), and microsegmentation are now required. This guide outlines the essential steps to securing your cloud infrastructure while meeting the latest HHS and OCR standards.

How to Stay HIPAA Compliant with Audit Logs

How to Stay HIPAA Compliant with Audit Logs

HIPAA audit logs are a mandatory technical safeguard under the HIPAA Security Rule, designed to track and record system activity across your network. To ensure complete compliance, organizations must actively maintain and routinely review these logs to detect unauthorized access to electronic protected health information (ePHI). This guide covers federal hipaa audit log requirements, the essential six-year hipaa audit log retention rules, best practices for tracking digital and physical data access, and how utilizing a structured hipaa audit log template protects your organization from catastrophic data breaches and costly federal penalties.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)