This was successfully posted to your pofile.
This box will close automatically in a few seconds. Close this window
We don't have an e-mail address on file for you. To use AAFP Connection, you must have an e-mail address in our records. Click Here
Breach Notification Requirements
Physicians and their HIPAA officers should review this rule (32-page PDF file; About PDFs) to determine any changes necessary to their current privacy and security policies and staff education.
Help from the Center for Health IT
- The regulations define “unsecured protected health information” as “protected health information that is not secured through the use of a technology or methodology specified by the Secretary of HHS in guidance.”
- A “breach” is defined as the “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of the protected health information [e.g. poses a significant risk of financial, reputational or other harm to the individual], except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
- In all breaches, any individual whose PHI has been inappropriately released is to be notified.
- The covered entity is required to retain a log of all breaches and submit an annual report to the Secretary of HHS on those breaches.