Let us begin at the beginning: What is breach notification? The term is pretty simple to understand. It means notifying the authorities whenever there is a breach of Protected Health Information (PHI). Covered Entities (CE's) and Business Associates (BA's), who are closely associated with PHI, and individuals whose PHI data are breached, are required to bring such data breaches to the notice of the authorities, whenever there is one.
A breach notification is a mechanism that is aimed at ensuring that BA's and CE's meet requirements in the HITECH Act in the American Recovery and Reinvestment Act of 2009 (ARRA).
Whenever there is a breach of PHI by a CE or a BA, or if there is violation of the Privacy, Security, or Breach Notification Rules, the affected individual can complain to the Office for Civil Rights (OCR), which will initiate investigation into these complaints.
Whenever a CE or a BA detects a breach, it can complain to the Secretary of Health and Human Services (HHS). In addition, the HIPAA breach notification rules have clear guidelines on how to report breaches in the following classifications:
A breach of PHI is said to have taken place when any unpermitted use or disclosure that compromises the security of the data in the PHI takes place. Any such action, resulting in the breach of any kind of data contained in a PHI, big or small, is considered a breach, unless the CE or BA can explain that the data that got breached into was not serious enough, from its risk assessment point of view, to warrant immediate intervention.
The HHS embarked on a new HIPAA breach notification program, the HIPAA Privacy, Security, and Breach Notification Audit Program, with which it seeks to bring a few changes into the existing HIPAA breach notification rules.