Regulatory
Breach Notification
The process of notifying affected individuals, HHS, and potentially the media when unsecured protected health information (PHI) is accessed, used, or disclosed in a way not permitted by HIPAA. California's CMIA requires notification within 15 business days.
Definition
The process of notifying affected individuals, HHS, and potentially the media when unsecured protected health information (PHI) is accessed, used, or disclosed in a way not permitted by HIPAA. California's CMIA requires notification within 15 business days.
What This Means for Your Facility
Breach notification requirements under HIPAA and California's CMIA create a dual compliance obligation that is more stringent than most facilities realize. Under HIPAA, breaches affecting 500 or more individuals must be reported to HHS and prominent media outlets within 60 days, while smaller breaches must be logged and reported annually. California's CMIA (Civil Code §56.06) imposes a tighter 15-business-day notification window and applies to a broader range of medical information than HIPAA's definition of PHI.
The financial exposure from a breach extends far beyond the notification costs themselves. HHS Office for Civil Rights penalties range from $137 per violation (for unknowing violations) up to $2,067,813 per violation category per year. California's Attorney General can pursue additional penalties under the CMIA, and affected individuals have a private right of action, meaning class-action lawsuits are common for large breaches. The average cost of a healthcare data breach reached $10.93 million in 2023, according to IBM's annual study.
BayArea Compliance's HIPAA|360 program includes breach notification procedures tailored to both HIPAA and CMIA timelines. We help facilities conduct the required four-factor risk assessment to determine whether a breach is reportable, draft compliant notification letters, manage HHS reporting, and coordinate with legal counsel when necessary. Having these procedures documented and rehearsed before an incident occurs is the difference between a controlled response and a costly scramble.
Related Terms
Aerosol Transmissible Diseases (ATD)
Diseases that can be transmitted through airborne particles. Cal/OSHA's ATD standard (Title 8, Section 5199) requires healthcare facilities to implement exposure control plans, employee training, and respiratory protection programs.
Bloodborne Pathogens
Infectious microorganisms present in human blood that can cause disease. Includes hepatitis B (HBV), hepatitis C (HCV), and human immunodeficiency virus (HIV). OSHA requires annual BBP training.
Cal/OSHA
California's Division of Occupational Safety and Health. Enforces workplace safety standards that are often stricter than federal OSHA, including the Aerosol Transmissible Diseases standard and specific requirements for healthcare, laboratory, and agricultural workplaces.
CMIA (California Confidentiality of Medical Information Act)
California state law (Civil Code §56–56.37) that provides stronger patient privacy protections than federal HIPAA. Includes a private right of action for patients, broader definitions of medical information, and shorter breach notification timelines.
Covered Entity
Under HIPAA, any health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. All covered entities must comply with HIPAA Privacy, Security, and Breach Notification Rules.
DEA Reverse Distribution
The DEA-authorized process for returning controlled substances to a registered reverse distributor for destruction. Requires proper documentation, witnessed destruction, and certificates of destruction for facility records.
Ready to Simplify Your Compliance?
One vendor for waste disposal, training, and regulatory compliance across the Bay Area, led by the 2025 NRC Recycler of the Year. Get a free assessment today.