The Breach Notification Rule and HITECH Act
HIPAA's Breach Notification Rule establishes guidelines for what an organization must do when a breach of protected health information occurs. Compliance with HIPAA is an everyday practice at your workplace. It is the employers’ and employees’ responsibility to ensure the safety and privacy of each individual's PHI.
The HIPAA Omnibus Rule Improves Confidentiality
What is the HITECH Act?
The HIPAA Breach Notification Rule requires individuals to be notified if their PHI is involved in a data breach.
As an employee, it is your responsibility to report privacy or security breaches involving PHI to human resources or the appropriate compliance personnel. Even if you are unsure if an incident or action involved a breach, you are obligated to notify the appropriate entities so that it can be investigated.
If the covered entity determines that a breach has occurred, it must notify the affected individual or individuals without reasonable delay and no later than 60 days after discovering the breach. Breaches consisting of 500 people or more require notice to the media and to HHS without unreasonable delay. HHS must still be notified if the breach involves fewer than 500 people, but only before March 1st of the following calendar year.
Under HIPAA a breach is defined as an impermissible use or disclosure that compromises the security or privacy of PHI. The definition of a breach only applies to encrypted or otherwise unsecured PHI. A breach occurs when PHI that, by law, must be protected is stolen, lost, or improperly disposed of, hacked, accessed, or disclosed to others who are not authorized to access it. In determining whether an incident qualifies as a breach for purposes of HIPAA, the covered entity also must evaluate several factors, including the likelihood of harm, and the nature of PHI compromised.
Recent Amendments with the Safe Harbor Bill
The HITECH Act was amended in 2021, with the HIPAA Safe Harbor Bill. This revision grants reduced penalties for HIPAA breaches to both covered entities and business associates as long as they provide detailed documentation proving they made reasonable efforts to comply with recognized security practices during the calendar year preceding a HIPAA breach. The Safe Harbor Bill defines recognized security practices as the best cybersecurity standards, protocols, guidelines, and procedures established by an authoritative organization such as the National Institute of Standards and Technology (NIST)
Reduce the Risk of HIPAA Breach
You can help to reduce the risk of a HIPAA breach by implementing procedures intended to safeguard personal health information. Implementing guidelines and procedures such as these can help reduce the potential for a breach of PHI and keep you and your organization compliant with the law. Here are some best practices for protecting PHI:
Here are some myths to look out for:
- -
Keep notes, files, memory sticks, and computers in a secure place, and be careful not to leave them in open areas.
- -
Use encryption when sending or storing ePHI on mobile devices.
- -
Make certain when mailing documents that no sensitive information is shown.
- -
Obtain authorization before releasing PHI to third parties.
Why the Breach Notification Rule should be included in HIPAA Training
Helping over 8,000+ organizations create a safer, more inclusive company culture.
EasyLlama’s online training course helps prepare employees to navigate HIPAA. This course provides an in-depth examination of how to respond to a breach of confidential data and the best way to protect your patients. The course covers: