Health Insurance Portability and Accountability Act (HIPAA)
Breach Notification Requirements
Following a breach of protected health information (PHI), covered entities must notify affected individuals, the Secretary of the US Department of Health and Human Services, and, in certain circumstances, the media. In addition, Business Associates must notify covered entities if a breach occurs at or by the Business Associate.
Covered entities are also required to comply with certain administrative requirements with respect to breach notification.
For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.
Sample policies and procedures are found in the Academy's HIPAA Privacy Compliance Manual which is available free of charge to its members.
Disclaimer: This information is general in scope and educational in nature. It is not intended as legal advice. If you require legal advice, contact an attorney.
The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired.