Breach notification

Breach Notification

Learn how to break the news of a privacy breach

The rule

The Breach Notification Rule was issued under the HITECH Act (Health Information Technology for Economic and Clinical Health), part of the American Recovery and Reinvestment Act of 2009, (ARRA). The purpose of the Rule is to make sure affected individuals are notified if there is a breach of their unsecured protected health information. The rule applies to covered entities and business associates.

In order for notifications to be required, a breach must be of unsecured Protected Health Information (PHI). This is PHI in any form or medium (electronic, paper or oral) that is not secured using a method approved by the HHS Secretary, which makes PHI unusable, unreadable, or indecipherable to unauthorized individuals. 

Who to notify

A practice must provide notification of the breach to affected individuals and the Secretary of HHS, and possibly to the media if over 500 individuals.

The written notice must be sent to the affected individual by first-class mail, at their last known address, or next of kin if necessary. It must be written in plain language, and must include specific information.

An e-mail notice may be sent if the individual has authorized the use of e-mail.

Click below if you are interested in our HIPAA Compliance Program and would like to download a sample of MedSafe's “Breaches of PHI Tops 7.8 Mil” Article straight from our blog.