Sometimes health care providers may ignorantly or deliberately use or disclose a Protected Health Information (PHI) without a patient’s permission. This is considered a violation of the Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rules. In such cases there are procedures to be followed in notifying the relevant authorities. According to the Health Insurance Portability and Accountability Act (HIPAA), a breach is an impermissible use or disclosure of PHI under the Privacy Rule that compromises the security or privacy of the PHI.
A Covered Entity (CE) or Business Associate (BA) may use or disclose a patient’s PHI if the CE is able to present a proof after a risk assessment that the PHI used or disclosed has not been compromised or has a very low probability of being compromised.
Otherwise, an impermissible use or sharing of unsecured PHI is considered as a breach.
Whenever a Covered Entity (CE) or a Business Associate (BA) notice that there is a breach of unsecured PHI occurs, the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules require that you inform affected patients, the Secretary of the Department of Health and Human Service (HHS), and, in some cases, the media. As a Covered Entity your are required by the HIPAA Privacy Rule and the Security Rule to inform patients and the Secretary of HHS of any theft, loss and any impressible of unsecured Protected Health Information (PHI). If there is a theft of or loss of any health care information that affects 500 or even more individuals, a CE is expected to report immediately to Secretary of HHS. But, if the health information lost does not affect up to 500 individuals, then the CE must report within 60 days after the end of the calendar year the breaches happened. If the OCR conducts its investigation on significant breaches and a CE is found guilty of failing to comply with the Health Insurance Portability and Accountability Act (HIPAA), penalties will be imposed on the CE.