URL:

Share this on AAFP Connection

This was successfully posted to your pofile.
This box will close automatically in a few seconds. Close this window

Share this on AAFP Connection

We don't have an e-mail address on file for you. To use AAFP Connection, you must have an e-mail address in our records. Click Here

Share this on AAFP Connection

You have logged in, however...

You do not have access to the AAFP members-only section. AAFP Connection is a members-only social network. Only members of the American Academy of Family Physicians can view AAFP Connection profiles.

Are you a member but don't have access? Contact us.

Interested in becoming a member? Learn more about AAFP membership and its benefits.

Share this page

Breach Notification Requirements

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) which was passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA) adds a rule requiring physicians, health plans and other covered entities to notify individuals when their unsecured health information is breached. Covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures. The rule also provides guidance on proper methods of encryption and destruction of health information. The effective date for this rule was September 23, 2009.

Physicians and their HIPAA officers should review this rule (32-page PDF file; About PDFs) to determine any changes necessary to their current privacy and security policies and staff education.

Help from the Center for Health IT

The Center for Health IT at the AAFP has provided information on this rule and what it means for physician practices including the following key points:

The regulations define “unsecured protected health information” as “protected health information that is not secured through the use of a technology or methodology specified by the Secretary of HHS in guidance.”
A “breach” is defined as the “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of the protected health information [e.g. poses a significant risk of financial, reputational or other harm to the individual], except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
In all breaches, any individual whose PHI has been inappropriately released is to be notified.
The covered entity is required to retain a log of all breaches and submit an annual report to the Secretary of HHS on those breaches.

The U.S. Department of Health and Human Services has also provided additional guidance on breach notification.

The Health Insurance Portability and Accountability Act (HIPAA)

AAFP HIPAA Manuals

Breach Notification Requirements

National Provider Identifier (NPI)

HIPAA Transaction Standards

AAFP ID
Password
	Remember Me