BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingDocsWhite PaperTokenBlogAboutSecurity Demo
Log InGet API Key
HIPAA

Breach Notification Policy

Effective: March 17, 2026

1. Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, requires covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). The Breach Notification Rule (45 CFR §§164.400–164.414) specifies the requirements for breach discovery, risk assessment, notification, and documentation.

A safe harbor exists under the Breach Notification Rule: if PHI is encrypted in accordance with HHS guidance (NIST Special Publication 800-111 for data at rest and FIPS 140-2/140-3 validated processes for data in transit) or is destroyed such that it cannot be reconstructed, the PHI is considered “secured” and breach notification is not required. H33’s FHE platform processes data in encrypted form; however, this policy applies to all PHI that may exist in unsecured form at any point during its lifecycle.

2. Purpose

This policy establishes the procedures H33.ai, Inc. (“H33”) follows to identify, investigate, assess, and report breaches of unsecured PHI in compliance with 45 CFR Part 164, Subpart D. This policy ensures that H33 meets its notification obligations as a Business Associate and supports its covered entity customers in meeting their notification obligations.

3. Definitions

Term Definition
Breach The acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI. A breach is presumed unless H33 demonstrates a low probability that the PHI has been compromised based on a risk assessment. Three exclusions apply: (1) unintentional acquisition, access, or use by a workforce member acting in good faith and within scope of authority, provided the information is not further used or disclosed improperly; (2) inadvertent disclosure between persons authorized to access PHI at H33, provided the information is not further used or disclosed improperly; (3) disclosure where H33 has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information.
Business Associate A person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a covered entity. H33 operates as a Business Associate.
Covered Entity A health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with a covered transaction. H33’s customers include covered entities.
Protected Health Information (PHI) Individually identifiable health information transmitted or maintained in any form or medium by a covered entity or business associate.
Unsecured PHI PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by HHS guidance (encryption meeting NIST standards or destruction such that the media cannot be reconstructed).
Workforce Employees, volunteers, trainees, contractors, and other persons whose conduct, in the performance of work for H33, is under the direct control of H33, whether or not they are paid by H33.

4. Scope

This policy applies to H33 in its capacity as a Business Associate. It covers all PHI that H33 creates, receives, maintains, or transmits on behalf of its covered entity customers. This includes PHI processed through H33’s FHE encryption pipelines, biometric authentication data, PHI stored in H33 infrastructure, and PHI transmitted through H33 APIs.

This policy applies to all H33 workforce members, including employees, contractors, consultants, and any individual with access to H33 systems that may contain PHI.

5. Breach Discovery

A breach is considered “discovered” as of the first day on which the breach is known to H33, or by exercising reasonable diligence would have been known to H33. H33 is deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is a workforce member or agent of H33.

All H33 workforce members are required to report any suspected or confirmed breach, security incident, or unauthorized access to PHI immediately upon discovery to the HIPAA Security Officer at security@h33.ai. Failure to report a suspected breach in a timely manner is a violation of this policy and subject to sanctions.

6. Post-Breach Investigation

Upon discovery or notification of a potential breach, H33 initiates the following investigation process:

  1. Immediate Containment: Take immediate steps to contain the incident and prevent further unauthorized access, use, or disclosure of PHI. This may include revoking access credentials, isolating affected systems, and preserving evidence for forensic analysis.
  2. Incident Documentation: Document the date and time of discovery, the nature of the incident, the systems and data potentially affected, and all containment actions taken.
  3. Investigation: Conduct a thorough investigation to determine the facts of the incident, including identifying the individuals whose PHI may have been compromised, the type and amount of PHI involved, and the circumstances of the breach.
  4. Risk Assessment: Perform the four-factor risk assessment described in Section 7 to determine whether the incident constitutes a breach requiring notification.
  5. Notification Decision: Based on the risk assessment, determine whether notification to the covered entity (and potentially to affected individuals, HHS, and media) is required.
  6. Remediation: Implement corrective actions to address the root cause of the breach and prevent recurrence.

7. Risk Assessment

Following the discovery of a potential breach, H33 performs a risk assessment to determine the probability that the PHI has been compromised. The risk assessment considers the following four factors, as specified in 45 CFR §164.402(2):

7.1 Nature and Extent of the PHI Involved

This factor considers the types of identifiers involved and the likelihood of re-identification. Factors include whether the PHI includes clinical information, financial information, Social Security numbers, or other sensitive data elements. The more sensitive the data types, the higher the risk.

7.2 The Unauthorized Person Who Used the PHI or to Whom the Disclosure Was Made

This factor evaluates whether the unauthorized person has the ability and motivation to use the PHI in a harmful manner. Considerations include whether the recipient is a known entity (e.g., another covered entity or business associate), whether the recipient has independent obligations to protect the PHI, and whether the recipient can be contacted to obtain assurances of destruction or non-use.

7.3 Whether the PHI Was Actually Acquired or Viewed

This factor considers whether the PHI was actually accessed or viewed, as opposed to merely having been available for access. Forensic analysis of access logs, audit trails, and system records is used to determine whether the PHI was actually acquired or viewed by the unauthorized person. The fact that PHI was processed under FHE (and therefore remained encrypted during computation) may be relevant to this factor.

7.4 The Extent to Which the Risk to the PHI Has Been Mitigated

This factor evaluates the steps taken to mitigate the risk after the breach was discovered. Mitigation may include obtaining assurances from the unauthorized recipient that the PHI has been destroyed or will not be used or disclosed, revoking access, implementing additional technical safeguards, and monitoring for evidence of misuse.

If the risk assessment demonstrates that there is a low probability that the PHI has been compromised, notification is not required. However, the burden of proof is on H33 to demonstrate the low probability, and the risk assessment and its conclusions must be documented and retained.

8. Notification Timeliness

8.1 Notification to Covered Entities

As a Business Associate, H33 shall notify each affected covered entity of a breach of unsecured PHI without unreasonable delay, and in no case later than sixty (60) calendar days from the date the breach is discovered, as required by 45 CFR §164.410. The notification shall include:

  • Identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, breached
  • Any other information that the covered entity would need to include in its notification to affected individuals
  • All information available about the breach at the time of notification, with additional information provided as it becomes available

8.2 Law Enforcement Delay

If a law enforcement official determines that notification, notice, or posting required under the Breach Notification Rule would impede a criminal investigation or cause damage to national security, H33 shall delay notification as follows:

  • If the law enforcement statement is in writing and specifies a time period, delay for the specified period
  • If the law enforcement statement is oral, delay for no more than thirty (30) days from the date of the oral statement, unless a written statement is provided during that time

9. Content of Notification

Breach notifications provided to covered entities (and, if applicable, to affected individuals) shall include the following elements, to the extent possible, as required by 45 CFR §164.404(c):

  1. Description of the Breach: A brief description of what happened, including the date of the breach and the date of discovery (if known)
  2. Types of PHI Involved: A description of the types of unsecured PHI that were involved in the breach (e.g., full name, Social Security number, date of birth, diagnosis, treatment information, health plan ID)
  3. Protective Steps for Individuals: Steps the individual should take to protect themselves from potential harm resulting from the breach (e.g., credit monitoring, fraud alerts, password changes)
  4. What H33 Is Doing: A brief description of what H33 is doing to investigate the breach, mitigate harm, and protect against further breaches
  5. Contact Information: Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, email address, website, or postal address

10. Notification Methods

10.1 Individual Notification

When H33 supports a covered entity in providing individual notification (or when notification is directly required):

  • First-Class Mail: Written notification sent by first-class mail to the last known address of the individual. If the individual is a minor, notification is sent to the parent or legal guardian. If the individual is deceased, notification is sent to the next of kin or personal representative, if known.
  • Email: Notification by email is permitted only if the individual has agreed to receive electronic communications. Email notification must comply with 45 CFR §164.404(d)(1)(ii).
  • Substitute Notice: If contact information for ten (10) or more individuals is insufficient or out of date, substitute notice must be provided through either a conspicuous posting on H33’s website homepage for a period of ninety (90) days, or notification in major print or broadcast media in the geographic areas where the affected individuals likely reside. The notice must include a toll-free telephone number that remains active for at least ninety (90) days.
  • Urgent Situations: In cases requiring urgency due to possible imminent misuse of unsecured PHI, H33 may provide notification by telephone or other means in addition to the methods described above.

10.2 Notification to HHS

H33 supports covered entities in meeting their HHS notification obligations:

  • Breaches Affecting 500 or More Individuals: The covered entity must notify the Secretary of HHS concurrently with individual notification (i.e., without unreasonable delay and no later than sixty (60) calendar days from discovery). Notification is submitted via the HHS Breach Portal.
  • Breaches Affecting Fewer Than 500 Individuals: The covered entity must maintain a log of all such breaches and submit the log to HHS annually, no later than sixty (60) days after the end of the calendar year in which the breaches were discovered.

10.3 Notification to Media

For breaches affecting five hundred (500) or more residents of a state or jurisdiction, the covered entity must provide notice to prominent media outlets serving the state or jurisdiction without unreasonable delay and no later than sixty (60) calendar days from discovery, as required by 45 CFR §164.406. H33 coordinates with affected covered entities to support media notification when required.

11. Business Associate Responsibilities

As a Business Associate, H33’s specific obligations under the Breach Notification Rule include:

  • Discovery and Notification: Notify each affected covered entity of a breach of unsecured PHI within sixty (60) calendar days of discovery, as required by 45 CFR §164.410
  • Identification: To the extent possible, identify each individual whose unsecured PHI has been, or is reasonably believed to have been, breached
  • Information Sharing: Provide the covered entity with all available information necessary for the covered entity to meet its notification obligations
  • Cooperation: Cooperate fully with the covered entity’s breach investigation and notification efforts
  • Subcontractor Oversight: Ensure that H33’s own subcontractors and business associates report breaches to H33 within the timeframes specified in their BAAs

12. Breach Information Maintenance

H33 maintains a log of all breaches of unsecured PHI, regardless of the number of individuals affected. The breach log includes:

Data Element Description
Date of Breach The date the breach occurred (or the best estimate if the exact date is unknown)
Date of Discovery The date the breach was discovered or should have been discovered through reasonable diligence
Date of Notification The date notification was provided to each affected covered entity
Number of Individuals The number of individuals whose PHI was involved in the breach
Types of PHI The types of PHI involved in the breach
Description A detailed description of the breach, including root cause analysis
Risk Assessment The results of the four-factor risk assessment and the determination regarding notification
Remediation Corrective actions taken to address the breach and prevent recurrence

The breach log is retained for a minimum of six (6) years and is made available to HHS upon request.

13. Workforce Training

All H33 workforce members receive training on this Breach Notification Policy as part of their initial onboarding and on an annual basis thereafter. Training covers:

  • The definition of a breach and how to identify potential breaches
  • Reporting obligations and procedures for reporting suspected breaches
  • The three exclusions from the definition of a breach
  • The four-factor risk assessment methodology
  • Notification timeframes and requirements
  • Consequences of failing to report a breach or violating this policy
  • The role of encryption and FHE in protecting PHI (and the safe harbor provision)

14. Complaints

H33 provides a process for individuals to submit complaints regarding H33’s breach notification practices. Complaints may be submitted to the Privacy Official at security@h33.ai or compliance@h33.ai. All complaints are documented, investigated, and resolved in a timely manner. Individuals may also file complaints directly with the HHS Office for Civil Rights.

15. Sanctions

H33 applies appropriate sanctions against workforce members who fail to comply with this policy, including failure to report a suspected breach, unauthorized access to PHI, or obstruction of a breach investigation. Sanctions are consistent with those described in the Privacy, Use, and Disclosure Policy and may range from verbal warnings to termination of employment.

16. No Retaliation / No Waiver

H33 does not retaliate against any workforce member or individual for reporting a suspected breach in good faith, participating in a breach investigation, or filing a complaint with HHS. H33 does not require individuals to waive their rights under the Breach Notification Rule.

17. Burden of Proof

The burden of proof for demonstrating that a use or disclosure of PHI did not constitute a breach, or that notification was not required, rests with H33. H33 must demonstrate, through the documented risk assessment, that there is a low probability that the PHI has been compromised. If the risk assessment cannot demonstrate low probability, the incident must be treated as a reportable breach.

Appendix A: Sample Breach Notification Letter

H33.ai, Inc. — Breach Notification

[Date]

[Individual Name]
[Address Line 1]
[City, State ZIP]

Dear [Individual Name],

We are writing to inform you of an incident involving your protected health information. We take the privacy and security of your information very seriously, and we want to provide you with the details of what happened, what information was involved, and what steps you can take to protect yourself.

What Happened: On [date of breach], we discovered that [brief description of the incident]. We promptly began an investigation and took immediate steps to contain the incident.

What Information Was Involved: The information that may have been involved includes [types of PHI, e.g., your name, date of birth, diagnosis codes, health plan identification number].

What We Are Doing: Upon discovering this incident, we [description of investigation, containment, and remediation actions]. We have also reported this incident to [covered entity name] and to the U.S. Department of Health and Human Services as required by law.

What You Can Do: We recommend that you [specific protective steps, e.g., monitor your explanation of benefits statements, review your credit reports, consider placing a fraud alert on your credit file]. [If applicable: We are offering complimentary credit monitoring and identity protection services for [duration]. To enroll, please visit [URL] or call [phone number].]

For More Information: If you have questions about this incident or would like additional information, please contact us at:

H33.ai, Inc.
Attn: Privacy Official
Email: security@h33.ai
Phone: [toll-free number]

You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, by visiting www.hhs.gov/hipaa/filing-a-complaint or calling 1-800-368-1019.

We sincerely regret any inconvenience or concern this incident may cause you. We remain committed to protecting your information and are taking all appropriate steps to prevent a similar incident in the future.

Sincerely,

H33.ai, Inc.
Privacy Official

18. Review Schedule

This policy shall be reviewed and updated at least annually. The next scheduled review is March 2027. Interim reviews shall be triggered by changes in HIPAA regulations or HHS guidance, breach incidents, audit findings, or organizational changes affecting breach notification procedures.

Questions about this policy?

Contact the HIPAA Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.