HIPAA Breach Notification Rule

Any impermissible use or disclosure of the protected health information under the Privacy Rule is known as breach. Any such breach compromises the security or privacy the individual and poses serious financial, reputational risk or other harm to the affected individual.

In August 2009, the interim final rule of breach notification was issued and implemented section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The breach notification rule requires HIPAA covered entities and their business associates to notify breach of unsecured protected health information.

Unsecured Protected Health Information and Guidance
In April 2009, the guidance on HITECH Breach Notification was issued with an appeal for public comments. After consideration of public comments and implementing adequate changes the guidance was reissued as Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information.

Also, the guidance is applicable to unsecured personal health record identifiable health information under the FTC regulations. It states that the covered entities and business associates should only provide required notification if the breach involved unsecured protected health information. As per the guidance, covered entities, business associates, and FTC regulated entities securing guidance specified information are not required for providing notifications following the breach of such information.

Requirements of HIPAA Breach Notification Rule
In case of breach of unsecured protected health information, the covered entities must provide following notices:
  • Individual Notice
  • Media Notice
  • Notice to the Secretary
  • Notification by a Business Associate