Prepare de-identified breach analysis documentation under HITECH §13402 – CCPA/HIPAA-compliant de-identification per 42 USC §17932
HITECH §13402 (42 USC §17932) requires covered entities and business associates to notify individuals, HHS, and in some cases media outlets when unsecured PHI is breached. anonym.legal de-identifies breach analysis documentation — incident reports, affected-record inventories, and risk assessments — so they can be shared with legal counsel, cyber-insurers, and forensic investigators without compounding PHI exposure during the breach response.
When this applies
Apply this workflow after a security incident when breach analysis documentation referencing individual patient records must be shared with external parties — outside counsel, cyber-insurance adjusters, breach-response vendors — and the minimum-necessary principle requires limiting PHI in those materials.
How anonym.legal handles it
- Upload the breach incident report, affected-record list, and risk assessment documentation to anonym.legal.
- The engine identifies individual patient references in the breach documentation — names, MRNs, account numbers, and diagnosis information included in affected-record inventories.
- Patient-level identifiers are replaced with case reference codes; the number of affected individuals, data categories involved, and breach timeline are preserved as required for HITECH notification preparation.
- Forensic technical detail — log excerpts, IP addresses (external threat-actor IPs may be retained as evidence; patient IP addresses are removed), and vulnerability descriptions — is preserved or de-identified according to configured scope.
- The de-identified breach package is prepared for sharing with external response parties.
- A separate identified version of the affected-record inventory is retained under strict access control for the actual breach notification process.
What you provide
- Breach incident report and affected-record inventory
- Risk assessment documentation for the breach
- Forensic log excerpts or network traffic analysis relevant to the incident
Limitations & cautions
- HITECH §13402 notification obligations require the covered entity to identify and notify affected individuals using their actual identities; the de-identified breach analysis documentation supports the legal review process but does not replace the identified breach notification itself.
- Under §17932, breach notification must occur within 60 days of discovery; de-identification of analysis materials must not delay the notification timeline.
- IP addresses of external threat actors may be retained for law enforcement cooperation purposes; distinguish carefully between patient IP addresses (Safe Harbor identifier (15)) and attacker IP addresses when scoping de-identification.
FAQ
Does HITECH require covered entities to notify individuals even for very small breaches?
Under HITECH §13402(a) as implemented at 45 CFR §164.400–§164.414, covered entities must notify affected individuals of any breach of unsecured PHI without unreasonable delay and within 60 days. For breaches affecting fewer than 500 individuals in a state, media notification is not required, but HHS notification is required in the annual log submission.
Are business associates required to notify covered entities under HITECH?
Yes. Under §17932(b), a business associate that discovers a breach of unsecured PHI must notify the covered entity without unreasonable delay and no later than 60 days after discovery. The covered entity then handles individual and HHS notification.
Can the de-identified breach analysis be shared with the cyber-insurer without a BAA?
Once the breach analysis documentation is de-identified so it contains no PHI, sharing it with the cyber-insurer does not require a BAA. However, if the insurer will also receive the identified affected-record inventory for claim assessment, a BAA is required for that portion of the sharing.