Acquisition, access, use, or disclosure of protected health information (PHI) is considered a HIPAA breach when the PHI’s security or privacy is compromised in a way that is not permitted by HIPAA standards. Unless it can be demonstrated that the possibility of compromised protected health information is minimal, based on a multifactor risk assessment, unauthorized use or disclosure of protected health information is deemed a breach.
Through risk assessment, the company should address the following points:
- The nature and extent of the PHI.
- All the entities to whom the company disclosed PHi.
- The nature of the possession of PHI: acquired or viewed.
- The mitigation of the risk to PHI that the company did.
The HIPAA Breach Notification Rule mandates that, in the event of a breach involving unsecured PHI, covered entities notify any impacted individuals, the U.S. Department of Health & Human Services, and, in some circumstances, the media.
Organizations and personnel operating in or with the healthcare industry or accessing protected medical information must adhere to HIPAA regulations. A covered entity or business associate who violates one or more of the HIPAA Rules violates the law, and those companies who do so may face sanctions. HIPAA violations include severe penalties that can harm an organization’s finances and reputation.