HIPAA and Security Breaches

Key Takeaway:

HIPAA has clearly defined rules on how to report security breaches. Reporting these according to prescribed norms is in the best interest of Business Associates, Covered Entities, as well as individuals whose security has been breached.

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark congressional legislation that aims to safeguard healthcare information of individuals. It spells out how this is to be done through its two important rules, the HIPAA Privacy Rule and the HIPAA Security Rule. Briefly, the Privacy Rule protects Protected Health Information no matter which medium it is in, while the Security Rule concerns itself with protection of electronic protected health information (ePHI).

Now, what if there is some kind of breach in the security information?

Healthcare providers are often in a bind when there is a security breach with records over which HIPAA has jurisdiction under what is termed the Breach Notification Rule. First, a brief understanding of what constitutes a breach: HIPAA has defined breach as "the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information".

What to do in case of a breach

The HIPAA Breach Notification Rule has guidelines on what is to be done whenever there is a HIPAA security breach. The Breach Notification Rule requires HIPAA covered entities to carry out the following:

  • Any theft, loss, or other impermissible uses or disclosures of unsecured protected health information have to be notified to the individuals whose records these are, as well as the Secretary of U.S. Department of Health and Human Services (HHS).
  • Whenever the breach is of unsecured protected health information of 500 or more individuals; health care providers have to bring this to the notice of the Secretary of HHS, and also the media.
  • If the breach affects fewer than 500 individuals, the Covered Entity has to tell this to both the Secretary of HHS and the individuals whose records have been breached. The Covered Entity may do this annually. This has to be done earlier than two months from the end of the calendar year in which the breaches took place.

What happens when a HIPAA security breach is reported?

hipaaAndSecurityBreaches Click Here to Explore More