HIPAA Breach Notification Rule

E181950

The HIPAA Breach Notification Rule is a U.S. federal regulation that requires covered entities and their business associates to notify affected individuals, regulators, and sometimes the media when unsecured protected health information is compromised.

All labels observed (2)

How this entity was disambiguated

Statements (50)

Predicate Object
instanceOf HIPAA regulation
U.S. federal regulation
allowsAnnualHHSReportingWhen breach affects fewer than 500 individuals
appliesTo HIPAA business associates
HIPAA covered entities
appliesToDataType unsecured PHI
unsecured protected health information
authority HITECH Act
HITECH Act
surface form: Health Information Technology for Economic and Clinical Health Act
codifiedIn 45 CFR Part 164 Subpart D
definesSecuredPHIBy encryption or destruction in accordance with HHS guidance
definesTerm breach of unsecured protected health information
unsecured protected health information
effectiveDate September 23, 2009
enforcedBy Office for Civil Rights
surface form: HHS Office for Civil Rights

United States Department of Health and Human Services
surface form: U.S. Department of Health and Human Services
excludes breaches involving secured PHI
implementedBy HITECH Act
surface form: HITECH Act amendments to HIPAA
jurisdiction United States of America
surface form: United States
mediaNotificationThreshold breach affecting more than 500 residents of a state or jurisdiction
notificationDeadline no later than 60 days following discovery of a breach
without unreasonable delay
notificationTrigger acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA Privacy Rule
partOf Health Insurance Portability and Accountability Act
surface form: HIPAA

Health Insurance Portability and Accountability Act
penaltiesForNonCompliance civil monetary penalties under HIPAA
primaryGoal to ensure individuals are informed when their health information is compromised
to promote transparency about breaches of protected health information
relatedTo HIPAA Privacy Rule
HIPAA Security Rule
requires documentation of breach investigations
risk assessment to determine probability that PHI has been compromised
timely breach notification
requiresBusinessAssociate to notify covered entity of breaches of unsecured PHI
requiresHHSNotificationWhen breach affects 500 or more individuals
requiresMediaNotificationWhen breach affects more than 500 residents of a state or jurisdiction
requiresNoticeContent contact procedures for individuals to ask questions or learn additional information
description of the types of information involved
description of what happened
steps individuals should take to protect themselves
what the covered entity is doing to investigate and mitigate the breach
requiresNotificationMethod electronic mail if the individual has agreed to electronic notice
first-class mail
requiresNotificationTo United States Department of Health and Human Services
surface form: U.S. Department of Health and Human Services

affected individuals
prominent media outlets in certain cases
requiresSubstituteNoticeWhen insufficient or out-of-date contact information for 10 or more individuals
sector healthcare
substituteNoticeMethods media notice
website posting

How these facts were elicited

Referenced by (3)

Full triples — surface form annotated when it differs from this entity's canonical label.

Office for Civil Rights enforces HIPAA Breach Notification Rule
subject surface form: Office for Civil Rights (HHS)
this entity surface form: Health Insurance Portability and Accountability Act breach notification rule
HIPAA Enforcement Rule relatedTo HIPAA Breach Notification Rule