A covered entity should notify patients directly when a data breach involves their PHI.
According to the HHS, “Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information.”
The Breach Notification Rule defines a breach as an unauthorized acquisition, access, use, or disclosure of protected health information (PHI). The rule places the responsibility to notify patients on both covered entities while business associates are responsible for notifying covered entities when a breach occurs within their organization.
There is a difference between the responsibility placed upon covered entities and business associates although both have a role in the breach notification process. Covered entities, including healthcare providers, health plans, and healthcare clearinghouses, are primarily responsible for notifying affected individuals when a breach occurs. This includes informing patients directly, describing the information breached, and the steps taken to protect themselves.
Business associates are not directly responsible for notifying patients they must inform the covered entity that a breach has occurred. The covered entity must then take the necessary steps to notify individuals of the compromised data.
Detect and assess
Investigate
Notify affected individuals
Notify the Secretary of Health and Human Services
Notify the media
Detect and assess
Notify the covered entities
Assist in notifications
Documentation
The Health Insurance Portability and Accountability Act is designed to protect the privacy and security of individuals.
A person or company that performs services or functions for a covered entity and handles PHI.
If an organization fails to notify patients of a breach, it can face legal penalties, fines, and damages.