How do you determine whether HIPAA violations need to be reported?

What is Considered a HIPAA Violation That Requires Reporting and Disclosure?

To determine HIPAA violation reporting requirements, you would follow the guidelines outlined in the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414). Here is a summary of the key points on how to report HIPAA violations.

Definition of Breach:

A breach is generally an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information (PHI).

Covered entities and business associates must conduct a risk assessment to determine the probability that PHI has been compromised.

Exceptions

Exceptions include unintentional acquisition, access, or use of PHI by authorized individuals in good faith, inadvertent disclosure between authorized persons, and cases where there is a good faith belief that the unauthorized person would not have been able to retain the information.

Explanation of Unsecured Protected Health Information and Guidance

Breach notifications are required only if the breach involves unsecured protected health information.

Unsecured PHI is information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons using specified technologies or methodologies.

Breach Notification Requirements:

• Covered entities must notify affected individuals, the Secretary, and, in certain cases, the media following a breach.
• Individual notice must be sent without unreasonable delay and no later than 60 days after discovering a breach.
• Covered entities must also notify the Secretary of breaches through the HHS web site.

Media Notice:

• Covered entities must notify the media if a breach affects more than 500 residents of a State or jurisdiction.
• Notify media without unreasonable delay and no later than 60 days after discovering a breach.

Notice to the Secretary:

• Covered entities must notify the Secretary of unsecured protected health information breaches through the HHS website.
• Breaches affecting 500 or more individuals must be reported without unreasonable delay, while breaches affecting fewer than 500 individuals may be reported annually.

Notification by a Business Associate:

Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach.

Administrative Requirements and Burden of Proof:

• Covered entities and business associates have the burden of demonstrating that all required notifications have been provided or that a use or disclosure did not constitute a breach.
• Covered entities must have written policies and procedures for breach notification, train employees, and apply appropriate sanctions for non-compliance.