The Breach Notification Rule was issued under the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA). The purpose of the Rule is to make sure affected individuals are notified if there is a breach of their unsecured protected health information. The rule applies to covered entities and business associates.
In order for notifications to be required, a breach must be of unsecured Protected Health Information (PHI). This is PHI in any form or medium (electronic, paper or oral) that is not secured using a method approved by the HHS Secretary, which makes PHI unusable, unreadable, or indecipherable to unauthorized individuals.
A practice must provide notification of the breach to affected individuals and the Secretary of HHS, and possibly to the media if the breach involves over 500 individuals.
The written notice must be sent to the affected individual, at his last known address, or to the next of kin, if necessary, by first class mail. It must be written in plain language and must include specific information.
An e-mail notice may be sent if the individual has authorized the use of e-mail.
Click below if you are interested in our HIPAA Compliance Program.