HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule is the federal regulation that requires HIPAA covered entities and their business associates to provide notification when there is a breach of unsecured protected health information (PHI). It defines who must be told, what they must be told, and how quickly.
Who Must Be Notified
Following a breach of unsecured PHI, a covered entity must notify the affected individuals without unreasonable delay and no later than 60 days after discovery, and must notify the U.S. Department of Health and Human Services. Breaches affecting 500 or more residents of a state or jurisdiction also require notice to prominent media in that area. A business associate that discovers a breach must notify the covered entity.
The Role of Encryption
The rule applies to unsecured PHI — information not rendered unusable through encryption or destruction. PHI that was properly encrypted is generally not considered “unsecured,” so a breach of encrypted data may not trigger notification. This makes encryption both a security control and a notification safe harbor.
Why the Breach Notification Rule Matters for Investment & Professional Firms
DFW professional firms that act as business associates — handling PHI for healthcare clients — carry breach notification obligations and must be able to detect a breach, assess it, and notify within the required window. DKBinnovative provides the monitoring, encryption, and incident response that healthcare-adjacent firms in Plano, Frisco, Irving, and Las Colinas need to meet the rule.