Breach Notification Rule
The HIPAA Breach Notification Rule requires
HIPAA-covered entities and their business associates to provide notification
following a breach of unsecured protected health information (PHI).
What is a "Breach"?
HIPAA defines a "breach" as, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI.
An impermissible use or disclosure of PHI is presumed to be a
breach unless the covered entity or business associate demonstrates that there
is a low probability that the PHI has been compromised, based on a risk
assessment of at least the following factors:
- The nature and extent of the PHI involved,
including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to
whom the disclosure was made;
- Whether the PHI was actually acquired or
viewed; and
- The extent to which the risk to the PHI has
been mitigated.
There are three exceptions to the HIPAA
definition of breach:
- The unintentional acquisition, access, or use of PHI made in good faith and within the scope of
authority.
- The inadvertent disclosure of PHI by a person authorized to access PHI to another person
authorized to access PHI at the same covered entity or business associate.
- If the covered entity or business associate
has a good faith belief that the
unauthorized person to whom the disclosure was made would not have been able to
retain the information.