When is a breach assumed to be reportable?

The assumption that a breach is reportable is based on the condition that a Covered Entity can only avoid reporting if they can demonstrate that the breach poses a low probability of compromise to the confidentiality, integrity, or availability of the protected health information (PHI) involved, often referred to as LoProCo. This means that if a breach occurs, the entity must assess the circumstances under which it occurred and determine whether there is a low probability that the PHI has been compromised.

Under the HIPAA Breach Notification Rule, a breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. If the risk assessment does not indicate a low probability, the breach is considered reportable. Therefore, the requirement for demonstrating this low probability of compromise is crucial for determining whether a breach must be reported to affected individuals, the Secretary of Health and Human Services, and potentially the media in certain cases.