A HIPAA breach notification is a requirement under the Health Insurance Portability and Accountability Act (HIPAA) that mandates covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media, following a breach of unsecured protected health information (PHI). A breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI in a manner that compromises its security or privacy.
When a breach of unsecured PHI occurs, covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates must conduct a risk assessment to determine the likelihood that the breached information could cause financial, reputational, or other harm to the affected individuals. If it is determined that there is a significant risk of harm, the breach must be reported.
The breach notification process typically includes:
- Notification to Affected Individuals: Covered entities must promptly notify affected individuals about the breach by mail, email, or other appropriate methods. The notification should include details about the breach, the type of information involved, steps individuals should take to protect themselves, and contact information for inquiries.
- Notification to HHS: Covered entities must report breaches affecting more than 500 individuals to the HHS Secretary without unreasonable delay and within 60 days of the breach's discovery. Smaller breaches can be reported annually to HHS.
- Media Notification: If a breach affects more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving the area.
The breach notification requirements aim to promote transparency, accountability, and the protection of individuals' health information. By promptly notifying affected individuals and appropriate authorities, covered entities and business associates can mitigate the potential negative impact of a breach and take steps to prevent future breaches.
It's important to note that the breach notification requirements are distinct from HIPAA's privacy and security rules, which outline safeguards for the protection of PHI and individuals' rights to access and control their health information.
For support in managing your fiduciary responsibilities, visit Fiduciary In A Box.
© 2023 Fiduciary In A Box, Inc. All rights reserved.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article