Skip to content
Under the HIPAA Breach Notification Rule, covered entities, following a breach of unsecured protected health information (PHI), must provide notification of the breach to affected individuals. HIPAA breach reporting content requirements for patient notification is discussed below. Under the HIPAA Breach Notification Rule, What is Substitute Notice?If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide HIPAA breach notification by substitute individual notice. Substitute individual notice may be made by the covered entity’s either:
The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means. HIPAA breach reporting requires all individual notifications to be provided without unreasonable delay, and in no case later than 60 days following the discovery of a breach, and must include, to the extent possible:
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual. This consideration may depend on various circumstances, such as:
Are Covered Entities and Business Associates Subject to Additional HIPAA Breach Reporting Requirements?Yes. In the event of an audit, covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided, or, that a use or disclosure of unsecured protected health information did not constitute a breach. Therefore, covered entities and business associates are well-advised, with respect to an impermissible use or disclosure, to maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required. Documentation covered entities should keep, to provide proof that notification was not required, includes the HIPAA Breach Notification Rule risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure. Covered entities are also required to comply with certain administrative requirements with respect to HIPAA breach reporting. For example, covered entities must:
Let our complete HIPAA solution handle it. Share This Post!Important HIPAA Deadline: December 31st, Required Assessment Due Who should be notified of the breach?Submitting Notice of a Breach to the Secretary
A covered entity must notify the Secretary if it discovers a breach of unsecured protected health information. See 45 C.F.R.
What does the breach notification rule requires?HIPAA's Breach Notification Rule requires covered entities to notify patients when their unsecured protected heath information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI.
When must data breaches involving personal data be reported?You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, you must also inform those individuals without undue delay.
|