top of page

HITECH Act Breach Notification Rule

Organizations that experience a breach of unsecured protected health information to unauthorized individuals or organizations must report that breach in an official manner.

HHS’s release of the Final Omnibus Rule, "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules," published in the Federal Register on Friday, January 25. 2013, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.  Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.



What is a Data Breach?

A breach is the acquisition, access, use, or disclosure of protected health information in a manner not permitted by the HIPAA Privacy Rule which compromises the security or privacy of the protected health information.

There are three exceptions to the definition of “breach.”  The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate.  The second exception applies to the inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate.  In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.  The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

Do I Have to Notify in All Cases?

Covered entities and business associates must only provide the required notification if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. Basically, if the information that was breached was encrypted according to official guidance, you may not have to report it!

Let RISC Management & Consulting Assist You!

The experts at RISC Management & Consulting can assist all organizations including covered entities and business associates in determining if a data breach has occurred, if you must report it, and how to report it. The critical nature of the information, and the tight time sensitivity require experience, knowledge, policies, and detailed procedures. RISC can help!

bottom of page