HCCA - CHCP: Breach Notification
Unsecured Protected Health Information - health information that is not rendered
unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or
methodology on the HHS Web site
Breach (as defined in HITECH 164.402 - The acquisition, access, use, or disclosure of protected
health information in a manner not permitted
under subpart E of this part which compromises the security or privacy of the protected health
information
Access - ability or means necessary to read,
write, modify, communicate, or otherwise use data/information.
Authorized Person - individual authorized by the entity or the entity's Business Associate
to acquire, access, or use Protected Health Information ("PHI") that is within the individual's scope of
employment
Breach Exceptions - Section 13400(1) of the Act also includes three exceptions to the definition of
''breach'' that encompass situations Congress clearly intended to not constitute breaches
Burden of Proof - Covered entities and business
associates have the burden of proof to demonstrate that all required notifications have been provided
or that a use or disclosure of unsecured protected health information did not constitute a breach
Can an CE update a notification if information has changed? - Yes
Can you email notice of a breach? - Yes, if the individual has previously agreed to be notified by
mail.
, Harm - means poses a significant risk of financial, reputational, or other harm to the individual.
How do you submit notice to the Secretary for under 500 affected individuals? - Must be
submitted electronically. Each incident must be a separate filing.
How is a individual notified? - by First Class mail
How long does a BA have to notify the CE? - 60 days from discovery
If more than 10 individuals information is out-of-date what must an CE do? - must provide
substitute individual notice by either posting the
notice on the home page of its web site or by providing the notice in major print or broadcast media
where the affected individuals likely reside
If notified is by WEB or media what must be included? - Toll Free Number
Individual Notification of a Breach must contain the following - • Brief description of what
happened and when it happened, to include the date of the breach and the date it was discovered.
• Description of the types of unsecured PHI involved in the breach (example: the individual's social
security number, date of birth, etc.)
• Steps individuals should take to protect themselves from potential harm as a result of the breach.
• Brief description of what the involved covered entity is doing to investigate the breach, mitigate losses,
and protect against any further breaches.
• Contact procedures for individuals to ask questions or learn additional information.
Limited Data Set. - PHI that excludes 16 specific
identifiers as defined in the HIPAA Privacy Rule, but includes:
- zip codes
- geographical codes
- dates of birth
Unsecured Protected Health Information - health information that is not rendered
unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or
methodology on the HHS Web site
Breach (as defined in HITECH 164.402 - The acquisition, access, use, or disclosure of protected
health information in a manner not permitted
under subpart E of this part which compromises the security or privacy of the protected health
information
Access - ability or means necessary to read,
write, modify, communicate, or otherwise use data/information.
Authorized Person - individual authorized by the entity or the entity's Business Associate
to acquire, access, or use Protected Health Information ("PHI") that is within the individual's scope of
employment
Breach Exceptions - Section 13400(1) of the Act also includes three exceptions to the definition of
''breach'' that encompass situations Congress clearly intended to not constitute breaches
Burden of Proof - Covered entities and business
associates have the burden of proof to demonstrate that all required notifications have been provided
or that a use or disclosure of unsecured protected health information did not constitute a breach
Can an CE update a notification if information has changed? - Yes
Can you email notice of a breach? - Yes, if the individual has previously agreed to be notified by
mail.
, Harm - means poses a significant risk of financial, reputational, or other harm to the individual.
How do you submit notice to the Secretary for under 500 affected individuals? - Must be
submitted electronically. Each incident must be a separate filing.
How is a individual notified? - by First Class mail
How long does a BA have to notify the CE? - 60 days from discovery
If more than 10 individuals information is out-of-date what must an CE do? - must provide
substitute individual notice by either posting the
notice on the home page of its web site or by providing the notice in major print or broadcast media
where the affected individuals likely reside
If notified is by WEB or media what must be included? - Toll Free Number
Individual Notification of a Breach must contain the following - • Brief description of what
happened and when it happened, to include the date of the breach and the date it was discovered.
• Description of the types of unsecured PHI involved in the breach (example: the individual's social
security number, date of birth, etc.)
• Steps individuals should take to protect themselves from potential harm as a result of the breach.
• Brief description of what the involved covered entity is doing to investigate the breach, mitigate losses,
and protect against any further breaches.
• Contact procedures for individuals to ask questions or learn additional information.
Limited Data Set. - PHI that excludes 16 specific
identifiers as defined in the HIPAA Privacy Rule, but includes:
- zip codes
- geographical codes
- dates of birth
