Breaches of Protected Health Information

Following a breach of protected health information (PHI), covered entities, such as physicians, must notify affected individuals, the Secretary of the US Department of Health and Human Services, and, in certain circumstances, the media. In addition, Business Associates must notify covered entities if a breach occurs at or by the Business Associate. 

Administrative Requirements 

Covered entities are also required to comply with certain administrative requirements with respect to breach notification.   

For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures. 

Resources: 

• Data breaches: A wake-up call for physician offices 
• Physician offices hit with HIPAA violations 

Disclaimer: This information is general in scope and educational in nature. It is not intended as legal advice. If you require legal advice, contact an attorney.  
 
The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired.