A regulation under the Health Insurance Portability and Accountability Act (HIPAA) that requires covered entities and their business associates to notify affected individuals, the U.S. Department of Health and Human Services (HHS), and, in certain cases, the media, of breaches of unsecured protected health information (PHI).
Individually identifiable health information that is transmitted or maintained by a covered entity or its business associate, in any form or medium. This includes demographic information, medical histories, test results, and other information used to identify a patient.
Any healthcare provider, health plan, or healthcare clearinghouse that electronically transmits health information in connection with certain transactions, as defined by HIPAA regulations.
A person or entity that performs certain functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of protected health information.
The unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the information. Not all incidents involving PHI constitute a breach under HIPAA, but those that do must be reported and managed according to the Breach Notification Rule.
A systematic process of evaluating the potential risks associated with a breach of PHI, including the likelihood and impact of the breach on individuals’ privacy and security.
The process of informing affected individuals, HHS, and, in some cases, the media, about a breach of unsecured PHI as required by the HIPAA Breach Notification Rule. Notifications must be provided without unreasonable delay, generally within 60 days of the discovery of the breach.
The requirement to inform affected individuals of a breach of their unsecured PHI, including a description of the incident, the types of information involved, steps individuals can take to protect themselves, and contact information for further inquiries.
In certain cases, covered entities must notify prominent media outlets serving the state or jurisdiction affected by the breach when the breach involves 500 or more individuals.
Remedial measures taken by covered entities and business associates to address the causes of a breach, prevent further breaches, and comply with HIPAA requirements. This may include updating policies and procedures, implementing additional security measures, and providing training to staff.