HIPAA Breach Notification Rule: Explanation and Guidance - NIU - Division of Information Technology (2024)

Table of Contents
Scope Specific Definitions Breach Notification Requirements

[45 CFR §§ 164.400-414]

Scope

The HIPAA Breach Notification Rule requires HIPAA Covered Entities and their Business Associates to provide notification following a breach of Unsecured Protected Health Information (PHI).

Specific Definitions

  • Breach is an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the PHI.
  • Breach Exclusions:
    • Any unintentional access or use of PHI by a Covered Component of the NIU Hybrid Covered Entity, including a Business Associate, if such access or use was made in good faith and within the scope of work and does not result in further inappropriate use or disclosure.
    • Any inadvertent disclosure by a person who is authorized to access PHI controlled by a Covered Component of the NIU Hybrid Covered Entity to another person also authorized to access PHI controlled by a Covered Component, as long as the information received as a result of such disclosure does not result in further inappropriate use or disclosure.
    • A disclosure of PHI where an employee of a Covered Component of the NIU Hybrid Covered Entity has a good faith belief that an unauthorized person who received the information would not reasonably be able to retain such information.
  • Presumption of Breach: An acquisition, access, use, or disclosure of PHI is presumed to be a Breach unless the NIU Hybrid Covered Entity, or applicable Business Associate, can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
    • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
    • The unauthorized person who used the PHI or to whom the disclosure was made;
    • Whether the PHI was actually acquired or viewed;
    • The extent to which the risk to the PHI has been mitigated, including the extent and efficacy of mitigation; and 

    • Other mitigating factors considered by the NIU Hybrid Covered Entity that are relevant to the risk assessment. [45 CFR § 164.402].
  • Unsecured Protected Health Information (PHI) is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons.

Breach Notification Requirements

Following a breach of Unsecured PHI, Covered Entities must provide notification of the breach to affected individuals, the Secretary of Health and Human Services, and – in some circ*mstances – to the media. Business Associates must notify Covered Entities if a breach occurs at or by the Business Associate. Notifications will be carried out in compliance with the Health Information Technology for Economic and Clinical Health Act (HITECH), as well as any other applicable federal or state notification law.

Notification is not required if PHI is secure via encryption; provided, however, that encryption keys must be kept on a separate device from the data they encrypt or decrypt. Nothing in this policy is meant to require a Covered Component to provide information to an individual that is privileged under the attorney-client privilege, licensed mental health professional or other privilege laws. Further, the NIU Hybrid Covered Entity will not disclose the names of any employees or other individuals involved in the breach or any specific sanctions taken against such employees.

  1. Individual Notice: Covered Entities must notify, in writing via first-class mail or email, any affected individuals following the discovery of a breach of Unsecured PHI. Notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a Breach. The notice should include:
    • A brief description of the Breach;
    • A description of the types of information involved in the Breach;
    • The steps affected individuals should take to protect themselves from potential harm;
    • A brief description of what the Covered Entity is doing to investigate the Breach, mitigate the harm, and prevent further Breaches; and
    • Contact information for the Covered Entity or Business Associate.
  2. Media Notice: In addition to Individual Notice, a Breach that affects 500 or more residents of a State or jurisdiction must provide notice to prominent media outlets serving the State or jurisdiction. The notice is often in the form of a press release and must be provided without unreasonable delay and in no case later than 60 days following the discovery of a Breach. The media notice must include the same information required for the Individual Notice.
  3. Notice to the Secretary of Health and Human Services: In addition to Individual Notice, Covered Entitles must notify the Secretary via electronic submission at the HHS website. If the Breach affects 500 or more individuals, Covered Entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a Breach. If the breach affects fewer than 500 individuals, the covered entity may notify HHS on an annual basis within 60 days after the end of the calendar year in which the breach occurred.
See Also
5 Labor Union Rules and Regulations Employers Should Know
See Also
National Labor Relations Act Violations | ECLKCDe-identifying Non-Protected Health Information (PHI) DataCalifornia Department of State HospitalsHIPAA, the Privacy Rule, and Its Application to Health Research
HIPAA Breach Notification Rule: Explanation and Guidance - NIU - Division of Information Technology (2024)
Top Articles
Amazon Price Match Policy - Main Things To Know in 2024 | Priceva
How to Dispose of Old Computers | Crucial
Nullreferenceexception 7 Days To Die
Wannaseemypixels
Recent Obituaries Patriot Ledger
Top Financial Advisors in the U.S.
Green Bay Press Gazette Obituary
Apply A Mudpack Crossword
Hallowed Sepulchre Instances & More
Waive Upgrade Fee
2021 Tesla Model 3 Standard Range Pl electric for sale - Portland, OR - craigslist
Simple Steamed Purple Sweet Potatoes
Culos Grandes Ricos
zopiclon | Apotheek.nl
Evangeline Downs Racetrack Entries
Regal Stone Pokemon Gaia
Guidewheel lands $9M Series A-1 for SaaS that boosts manufacturing and trims carbon emissions | TechCrunch
Connect U Of M Dearborn
Espn Horse Racing Results
Q Management Inc
Union Ironworkers Job Hotline
Is The Yankees Game Postponed Tonight
Orange Pill 44 291
Dr Ayad Alsaadi
Anotherdeadfairy
Accuweather Minneapolis Radar
Klsports Complex Belmont Photos
Watson 853 White Oval
manhattan cars & trucks - by owner - craigslist
Riverstock Apartments Photos
Stephanie Bowe Downey Ca
Haunted Mansion Showtimes Near Cinemark Tinseltown Usa And Imax
Aladtec Login Denver Health
Myhrconnect Kp
#scandalous stars | astrognossienne
Tamilyogi Ponniyin Selvan
Kornerstone Funeral Tulia
Reese Witherspoon Wiki
Lima Crime Stoppers
Live Delta Flight Status - FlightAware
Craigs List Hartford
Cl Bellingham
Pain Out Maxx Kratom
Candise Yang Acupuncture
Human Resources / Payroll Information
Canvas Elms Umd
Craigslist Pet Phoenix
Morbid Ash And Annie Drew
Bluebird Valuation Appraiser Login
Coors Field Seats In The Shade
Latest Posts
What Are the Most Common Methods of Payment?
Most commonly used tags in HTML - GeeksforGeeks
Article information

Author: Velia Krajcik

Last Updated:

Views: 5690

Rating: 4.3 / 5 (74 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Velia Krajcik

Birthday: 1996-07-27

Address: 520 Balistreri Mount, South Armand, OR 60528

Phone: +466880739437

Job: Future Retail Associate

Hobby: Polo, Scouting, Worldbuilding, Cosplaying, Photography, Rowing, Nordic skating

Introduction: My name is Velia Krajcik, I am a handsome, clean, lucky, gleaming, magnificent, proud, glorious person who loves writing and wants to share my knowledge and understanding with you.