May 13, 2024

Understanding HIPAA Breach Rules - A Comprehensive Overview

The Health Insurance Portability and Accountability Act, better known as HIPAA, includes a series of stringent regulations that dictate how Protected Health Information (PHI) is handled. Among them, the Breach Notification Rule has generated many discussions, throwing light on the meticulous reporting process necessary after a breach. This article will help you understand exactly what this rule entails and what steps must be taken following a breach.

Getting to Grips with the Definition of a Breach

But first, what exactly is a breach under HIPAA? A breach involves an impermissible use or disclosure of PHI that compromises its security or privacy. Various factors are taken into account to assess the probability of compromise.

Breach Exceptions

There are, however, exceptions to this definition, such as unintentional acquisition, inadvertent disclosure, or a good faith belief that the unauthorized person who has the information cannot retain it.

Unsecured Protected Health Information

Another important factor relates to Unsecured Protected Health Information. This refers to PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals. When a breach involves unsecured PHI, covered entities and business associates must notify affected individuals.

Breach Notification Requirements

There is a protocol for communicating the breach. Covered entities must notify individuals affected by the breach, the Secretary of the Department of Health and Human Services (HHS), and in some cases, the media. Business associates, on the other hand, are required to notify covered entities of any breaches.

Individual, Media, and Secretary Notices

Notices differ in form and target recipient. The Individual Notice must be written and include detailed information regarding the breach and steps to take to protect themselves. This must be provided within 60 days of discovering the breach.

In the cases where a breach affects over 500 residents of a State or jurisdiction, covered entities must notify prominent Media outlets as well. Further, there is a specific Notice to be sent to the Secretary about the Breach of Unsecured Protected Health Information.

Business Associates' Notification

Business associates also play a pivotal role in this process. They are required to inform covered entities of breaches within 60 days of discovery, providing information about the individuals affected.


Leave a Reply

Your email address will not be published. Required fields are marked *


Welcome to the blog all about your mental, physical and last but not least, your spiritual health, and well-being.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram