HIPAA Breach Paper
First enforcement action resulting from HITECH ACT is the Breach Notification Rule. A HIPPA rule that requires HIPAA covered entities (CE) and their business associates (BA) to provide notification following a breach of unsecured protected health information (PHI) (HHSwebsite). CE and BA must notify U.S department of Health and Human Services (HHS), some situations the media, and all individuals whose PHI has been breached (hhswebsite). Plus, all notifications must be made no later than 60 days after the discovery of the breach (bok). So, what is a Breach? Under HIPAA, a breach is defined as “the unauthorized acquisition, access, use or disclosure of an unsecured PHI which compromises the security or privacy of PHI” (healthlaw). In order to determine
…show more content…
In order to decide if notice is required, a CE and BA must make the following determinations: whether the PHI was unsecured; and whether an exception applies (HHSwebsite). The first step is to analyze if the breached protected health information is unsecured. If the PHI is secured by Encryption of data, destruction of electronic media, and shredding of paper or other hard copy media, notification is not required, even if the PHI was used or disclosed in violation of HIPAA privacy rule (priweb). The final step is to look for any exceptions that applies to the rule and notification is not required. Those three exceptions are, “(1) unintentional acquisition, access, or use of PHI by a workforce member acting under the authority of a covered entity or business associate, if done in good faith and the information was not further used or disclosed; (2) when a person authorized to access PHI inadvertently discloses PHI to another person who is authorized to access PHI; or (3) when there is a good faith that the unauthorized person to whom the PHI has been disclosed would not be able to retain the information”
In order to decide if notice is required, a CE and BA must make the following determinations: whether the PHI was unsecured; and whether an exception applies (HHSwebsite). The first step is to analyze if the breached protected health information is unsecured. If the PHI is secured by Encryption of data, destruction of electronic media, and shredding of paper or other hard copy media, notification is not required, even if the PHI was used or disclosed in violation of HIPAA privacy rule (priweb). The final step is to look for any exceptions that applies to the rule and notification is not required. Those three exceptions are, “(1) unintentional acquisition, access, or use of PHI by a workforce member acting under the authority of a covered entity or business associate, if done in good faith and the information was not further used or disclosed; (2) when a person authorized to access PHI inadvertently discloses PHI to another person who is authorized to access PHI; or (3) when there is a good faith that the unauthorized person to whom the PHI has been disclosed would not be able to retain the information”