Try for Free

Missed the July 1st Deadline for SB 553? Take action now to avoid heavy fines!

The Breach Notification Rule and HITECH Act

HIPAA's Breach Notification Rule establishes guidelines for what an organization must do when a breach of protected health information occurs. Compliance with HIPAA is an everyday practice at your workplace. It is the employers’ and employees’ responsibility to ensure the safety and privacy of each individual's PHI.

0

The HIPAA Omnibus Rule Improves Confidentiality

In January of 2013, the HIPAA Omnibus Rule was released. This overarching rule brought the HIPAA Rules and HITECH Act together into one piece of legislation. It did not introduce much in the way of new rulings, but it helped to clarify and fill in gaps that existed in the HIPAA and HITECH regulations. The Omnibus Rule was created in part to strengthen and improve the confidentiality of security of shared PHI, especially in electronic form. Additionally, it expanded patient’s rights for accessing PHI.

The HIPAA Omnibus Rule Improves Confidentiality

What is the HITECH Act?

Health Information Technology for Economic and Clinical Health Act, or HITECH for short, was signed into law in February 2009 to help encourage and expand the adoption and meaningful use of health information technology. Part of the HITECH Act addressed privacy and security concerns related to the transmission of ePHI. HITECH made business associates directly liable for HIPAA violations and established penalties for not handling electronic health records, or EHR, properly and securely. HITECH reinforced individuals' rights to access ePHI, and as mentioned, resulted in the creation of the HIPAA Breach Notification Rule.

What is the HITECH Act?
Get started today in 5 minutes
When Patients Should Be Notified of a Data Breach

The HIPAA Breach Notification Rule requires individuals to be notified if their PHI is involved in a data breach.

1
Responsibility to Report

As an employee, it is your responsibility to report privacy or security breaches involving PHI to human resources or the appropriate compliance personnel. Even if you are unsure if an incident or action involved a breach, you are obligated to notify the appropriate entities so that it can be investigated.

2
responsibility to Notify

If the covered entity determines that a breach has occurred, it must notify the affected individual or individuals without reasonable delay and no later than 60 days after discovering the breach. Breaches consisting of 500 people or more require notice to the media and to HHS without unreasonable delay.  HHS must still be notified if the breach involves fewer than 500 people, but only before March 1st of the following calendar year. 

3
What is a HIPAA Breach?

Under HIPAA a breach is defined as an impermissible use or disclosure that compromises the security or privacy of PHI. The definition of a breach only applies to encrypted or otherwise unsecured PHI. A breach occurs when PHI that, by law, must be protected is stolen, lost, or improperly disposed of, hacked, accessed, or disclosed to others who are not authorized to access it. In determining whether an incident qualifies as a breach for purposes of HIPAA, the covered entity also must evaluate several factors, including the likelihood of harm, and the nature of PHI compromised.

Recent Amendments with the Safe Harbor Bill

Recent Amendments with the Safe Harbor Bill

The HITECH Act was amended in 2021, with the HIPAA Safe Harbor Bill. This revision grants reduced penalties for HIPAA breaches to both covered entities and business associates as long as they provide detailed documentation proving they made reasonable efforts to comply with recognized security practices during the calendar year preceding a HIPAA breach. The Safe Harbor Bill defines recognized security practices as the best cybersecurity standards, protocols, guidelines, and procedures established by an authoritative organization such as the National Institute of Standards and Technology (NIST)

Reduce the Risk of HIPAA Breach

You can help to reduce the risk of a HIPAA breach by implementing procedures intended to safeguard personal health information. Implementing guidelines and procedures such as these can help reduce the potential for a breach of PHI and keep you and your organization compliant with the law. Here are some best practices for protecting PHI: 

Here are some myths to look out for:

  • -

    Keep notes, files, memory sticks, and computers in a secure place, and be careful not to leave them in open areas.

  • -

    Use encryption when sending or storing ePHI on mobile devices. 

  • -

    Make certain when mailing documents that no sensitive information is shown.

  • -

    Obtain authorization before releasing PHI to third parties.

Image for See why 8,000+ businesses love EasyLlama
See why 8,000+ businesses love EasyLlama

Why the Breach Notification Rule should be included in HIPAA Training

The benefit of training that includes the HIPAA Breach Notification Rule is that it helps covered entities, business associates, and other organizations understand their obligations under the rule and the necessary steps they must take to ensure compliance. It also helps ensure that individuals are informed of any data security breach in a timely manner and are aware of their rights in the event of a breach. EasyLlama’s HIPAA courses use integrative knowledge checks and engaging real-life scenarios to educate employees about data security related to patients’ private information.

Why the Breach Notification Rule should be included in HIPAA Training

Helping over 8,000+ organizations create a safer, more inclusive company culture.

logo 1
logo 2
logo 3
logo 4
logo 5
logo 6
logo 7
logo 8
logo 9
logo 10
logo 11
logo 12
logo 13
logo 14
logo 15
logo 16
logo 17
logo 18
logo 19
logo 20
logo 21
logo 22
logo 23
logo 24
logo 25
logo 26
logo 27
Get more from easyLlama
The Most Comprehensive HIPAA Training Solution

EasyLlama’s online training course helps prepare employees to navigate HIPAA. This course provides an in-depth examination of how to respond to a breach of confidential data and the best way to protect your patients. The course covers:

Chapter 1: Introduction and Overview of HIPAA
Chapter 2: The Privacy Rule
Chapter 3: Minimum Necessary Requirements
Chapter 4: How and When to Use PHI
Chapter 5: Individual Rights
Chapter 6: Business Associate Agreement
Chapter 7: The Security Rule
Chapter 8: The Enforcement Rule
Chapter 9: The Breach Notification Rule
Chapter 10: HIPAA Timeline and Updates
Chapter 11: What Have We Learned?
Chapter 12: Conclusion
Get more from EasyLlama
The Enforcement Rule of HIPAA
The Enforcement Rule of HIPAA
Learn more
Using a Business Associate Agreement Under HIPAA
Using a Business Associate Agreement Under HIPAA
Learn more
Maintaining online Data Privacy with the HIPPA Security Rule
Maintaining online Data Privacy with the HIPPA Security Rule
Learn more
Image for Get Started
Image for Get Started
Get started in just 5 minutes
Learn Why 8,000 Businesses Have Trusted Easy Llama To Inspire Their Staff To Have Better Communication And Collaboration.