HIPAA Breach Paper
First enforcement action resulting from HITECH ACT is the Breach Notification Rule. A HIPPA rule that requires HIPAA covered entities (CE) and their business associates (BA) to provide notification following a breach of unsecured protected health information (PHI) (HHSwebsite). CE and BA must notify U.S department of Health and Human Services (HHS), some situations the media, and all individuals whose PHI has been breached (hhswebsite). Plus, all notifications must be made no later than 60 days after the discovery of the breach (bok). So, what is a Breach? Under HIPAA, a breach is defined as “the unauthorized acquisition, access, use or disclosure of an unsecured PHI which compromises the security or privacy of PHI” (healthlaw). In order to determine
…show more content…
if a breach has occurred and the likelihood that a breach could cause harm to the individual, covered entities and business associates are required to perform a risk assessment (HHSwebsite). While conducting the risk analysis, covered entities should consider: “the nature and extent of the PHI, the person who gained unauthorized access to PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated” (priweb). If the risk assessment indicates that a violation of the Privacy Rule poses a low risk that PHI was compromised, then it’s not considered a breach (priweb).
Moreover, covered entities and business associates do not have to notify in the case of every data breach.
In order to decide if notice is required, a CE and BA must make the following determinations: whether the PHI was unsecured; and whether an exception applies (HHSwebsite). The first step is to analyze if the breached protected health information is unsecured. If the PHI is secured by Encryption of data, destruction of electronic media, and shredding of paper or other hard copy media, notification is not required, even if the PHI was used or disclosed in violation of HIPAA privacy rule (priweb). The final step is to look for any exceptions that applies to the rule and notification is not required. Those three exceptions are, “(1) unintentional acquisition, access, or use of PHI by a workforce member acting under the authority of a covered entity or business associate, if done in good faith and the information was not further used or disclosed; (2) when a person authorized to access PHI inadvertently discloses PHI to another person who is authorized to access PHI; or (3) when there is a good faith that the unauthorized person to whom the PHI has been disclosed would not be able to retain the information”
(priweb).
if a breach has occurred and the likelihood that a breach could cause harm to the individual, covered entities and business associates are required to perform a risk assessment (HHSwebsite). While conducting the risk analysis, covered entities should consider: “the nature and extent of the PHI, the person who gained unauthorized access to PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated” (priweb). If the risk assessment indicates that a violation of the Privacy Rule poses a low risk that PHI was compromised, then it’s not considered a breach (priweb).
Moreover, covered entities and business associates do not have to notify in the case of every data breach.
In order to decide if notice is required, a CE and BA must make the following determinations: whether the PHI was unsecured; and whether an exception applies (HHSwebsite). The first step is to analyze if the breached protected health information is unsecured. If the PHI is secured by Encryption of data, destruction of electronic media, and shredding of paper or other hard copy media, notification is not required, even if the PHI was used or disclosed in violation of HIPAA privacy rule (priweb). The final step is to look for any exceptions that applies to the rule and notification is not required. Those three exceptions are, “(1) unintentional acquisition, access, or use of PHI by a workforce member acting under the authority of a covered entity or business associate, if done in good faith and the information was not further used or disclosed; (2) when a person authorized to access PHI inadvertently discloses PHI to another person who is authorized to access PHI; or (3) when there is a good faith that the unauthorized person to whom the PHI has been disclosed would not be able to retain the information”
(priweb).