HIPAA Rules: Breach Notification Rule

The Health Insurance Portability and Accountability Act was passed initially in 1996, but the HIPAA Breach Notification Rule was added in 2009. (HIPAA).

The HIPAA Compromise Notification Rule mandates that after a breach of unprotected health information, HIPAA-covered entities and their business partners must notify affected individuals (PHI). A breach is generally understood as the unauthorized use or disclosure of PHI that jeopardizes its security or privacy. Unless the covered company or business associate can show a minimal chance of compromised PHI, such use or disclosure of PHI is deemed a breach.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Breach Notification Rule were released in 2009. In case of an unsecured PHI breach, this Rule mandates reporting to the impacted parties, the US Department of Health and Human Services, and also the media in some cases.

A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information should submit updates in a prescribed manner.

To guarantee the security of patient data, covered entities and business partners with access to PHI are required to put administrative, physical, and technical safeguards in place. In addition, they must adhere to the HIPAA Privacy Rule and have plans for a data breach.

See Scrut in action!