Alert patient, Secretary when private info gets exposed.
When a HIPAA breach occurs at your practice, you must file notifications as per the instructions of the U.S. Department of Health & Human Services (HHS). They’re so serious about these notices, there’s even a rule on the books.
“The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information,” according to the HHS website.
Get the lowdown on what constitutes a HIPAA breach, and what you have to do when one occurs, straight from the HHS rulebook.
Definition: HHS defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information [PHI].”
HHS presumes all impermissible uses or disclosure of PHI to be breaches “unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.” (For a more complete explanation of breach definition, and risk assessments, see the link at the bottom of this blog post.)
Notification requirements: When your practice experiences a HIPAA breach, HHS wants you to provide notifications to any affected individuals, the HHS Secretary and, in certain circumstances, the media. Here’s what HHS expects you to do for each of these populations should a breach occur: