HIPAA has clearly defined rules on how to report security breaches. Reporting these according to prescribed norms is in the best interest of Business Associates, Covered Entities, as well as individuals whose security has been breached.
The Health Insurance Portability and Accountability Act (HIPAA) is a landmark congressional legislation that aims to safeguard healthcare information of individuals. It spells out how this is to be done through its two important rules, the HIPAA Privacy Rule and the HIPAA Security Rule. Briefly, the Privacy Rule protects Protected Health Information no matter which medium it is in, while the Security Rule concerns itself with protection of electronic protected health information (ePHI).
Healthcare providers are often in a bind when there is a security breach with records over which HIPAA has jurisdiction under what is termed the Breach Notification Rule. First, a brief understanding of what constitutes a breach: HIPAA has defined breach as "the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information".
The HIPAA Breach Notification Rule has guidelines on what is to be done whenever there is a HIPAA security breach. The Breach Notification Rule requires HIPAA covered entities to carry out the following: