voted-icon

EasyLlama Consistently Recognized Among Top Training Software Solutions

The Breach Notification Rule and HITECH Act

HIPAA's Breach Notification Rule establishes guidelines for what an organization must do when a breach of protected health information occurs. Compliance with HIPAA is an everyday practice at your workplace. It is the employers’ and employees’ responsibility to ensure the safety and privacy of each individual's PHI.

Sign Up For A Free Preview

Get Your Organization Trained Today

llama imgllama img
media

The HIPAA Omnibus Rule Improves Confidentiality

media

In January of 2013, the HIPAA Omnibus Rule was released. This overarching rule brought the HIPAA Rules and HITECH Act together into one piece of legislation. It did not introduce much in the way of new rulings, but it helped to clarify and fill in gaps that existed in the HIPAA and HITECH regulations. The Omnibus Rule was created in part to strengthen and improve the confidentiality of security of shared PHI, especially in electronic form. Additionally, it expanded patient’s rights for accessing PHI.

media

What is the HITECH Act?

media

Health Information Technology for Economic and Clinical Health Act, or HITECH for short, was signed into law in February 2009 to help encourage and expand the adoption and meaningful use of health information technology. Part of the HITECH Act addressed privacy and security concerns related to the transmission of ePHI. HITECH made business associates directly liable for HIPAA violations and established penalties for not handling electronic health records, or EHR, properly and securely. HITECH reinforced individuals' rights to access ePHI, and as mentioned, resulted in the creation of the HIPAA Breach Notification Rule.

When Patients Should Be Notified of a Data Breach

The HIPAA Breach Notification Rule requires individuals to be notified if their PHI is involved in a data breach.

Responsibility to Report

As an employee, it is your responsibility to report privacy or security breaches involving PHI to human resources or the appropriate compliance personnel. Even if you are unsure if an incident or action involved a breach, you are obligated to notify the appropriate entities so that it can be investigated.

responsibility to Notify

If the covered entity determines that a breach has occurred, it must notify the affected individual or individuals without reasonable delay and no later than 60 days after discovering the breach. Breaches consisting of 500 people or more require notice to the media and to HHS without unreasonable delay.  HHS must still be notified if the breach involves fewer than 500 people, but only before March 1st of the following calendar year. 

What is a HIPAA Breach?

Under HIPAA a breach is defined as an impermissible use or disclosure that compromises the security or privacy of PHI. The definition of a breach only applies to encrypted or otherwise unsecured PHI. A breach occurs when PHI that, by law, must be protected is stolen, lost, or improperly disposed of, hacked, accessed, or disclosed to others who are not authorized to access it. In determining whether an incident qualifies as a breach for purposes of HIPAA, the covered entity also must evaluate several factors, including the likelihood of harm, and the nature of PHI compromised.

What is the Breach Notification Rule?

  • The Omnibus Rule
  • HITECH
  • The Breach Notification Rule
prev

The Omnibus Rule

The Omnibus Rule is a HIPAA regulation that was established in 2013 and is designed to strengthen the privacy and security of protected health information (PHI). It requires covered entities to implement administrative, physical, and technical safeguards to protect PHI and to comply with the HIPAA Privacy and Security Rules. The rule also includes Breach Notification requirements and changes to the Notice of Privacy Practices.

next
media

Recent Amendments with the Safe Harbor Bill

media

The HITECH Act was amended in 2021, with the HIPAA Safe Harbor Bill. This revision grants reduced penalties for HIPAA breaches to both covered entities and business associates as long as they provide detailed documentation proving they made reasonable efforts to comply with recognized security practices during the calendar year preceding a HIPAA breach. The Safe Harbor Bill defines recognized security practices as the best cybersecurity standards, protocols, guidelines, and procedures established by an authoritative organization such as the National Institute of Standards and Technology (NIST)

state iconLearners love easyllama

Reduce the Risk of HIPAA Breach

You can help to reduce the risk of a HIPAA breach by implementing procedures intended to safeguard personal health information. Implementing guidelines and procedures such as these can help reduce the potential for a breach of PHI and keep you and your organization compliant with the law. Here are some best practices for protecting PHI: 

  • Keep notes, files, memory sticks, and computers in a secure place, and be careful not to leave them in open areas.
  • Use encryption when sending or storing ePHI on mobile devices. 
  • Make certain when mailing documents that no sensitive information is shown.
  • Obtain authorization before releasing PHI to third parties.
llama

Get An Instant Free Course Preview!

media

Why the Breach Notification Rule should be included in HIPAA Training

media

The benefit of training that includes the HIPAA Breach Notification Rule is that it helps covered entities, business associates, and other organizations understand their obligations under the rule and the necessary steps they must take to ensure compliance. It also helps ensure that individuals are informed of any data security breach in a timely manner and are aware of their rights in the event of a breach. EasyLlama’s HIPAA courses use integrative knowledge checks and engaging real-life scenarios to educate employees about data security related to patients’ private information.

Helping over 8,000+ organizations create a safer, more inclusive company culture.

company-logo-0
company-logo-1
company-logo-2
company-logo-3
company-logo-4
company-logo-5
company-logo-6
company-logo-7
company-logo-8
company-logo-9
company-logo-10
company-logo-11
company-logo-12
company-logo-13
company-logo-14
company-logo-15
company-logo-16
company-logo-17
company-logo-18
company-logo-19
company-logo-20
company-logo-21
company-logo-22
company-logo-23
company-logo-24
company-logo-25
state iconGet more from easyLlama

The Most Comprehensive HIPAA Training Solution

EasyLlama’s online training course helps prepare employees to navigate HIPAA. This course provides an in-depth examination of how to respond to a breach of confidential data and the best way to protect your patients. The course covers:

Chapter 1: Introduction and Overview of HIPAA

Chapter 2: The Privacy Rule

Chapter 3: Minimum Necessary Requirements

Chapter 4: How and When to Use PHI

Chapter 5: Individual Rights

Chapter 6: Business Associate Agreement

Chapter 7: The Security Rule

Chapter 8: The Enforcement Rule

Chapter 9: The Breach Notification Rule

Chapter 10: HIPAA Timeline and Updates

Chapter 11: What Have We Learned?

Chapter 12: Conclusion

Get Started In Just 5 minutes

See how EasyLlama can support your organizational goals and help build a safe and inclusive company culture

llama img