What is a HIPAA breach?
‍
A HIPAA breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by HIPAA regulations, which compromises the security or privacy of the PHI. Impermissible use or disclosure of protected health information is presumed to be a breach unless it can be shown that the probability of protected health information having been compromised is low, based on a multifactor risk assessment. The risk assessment should review the nature and extent of the PHI involved; to whom the disclosure of PHI was made; whether the PHI was in fact acquired or viewed; and the extent to which the risk to the PHI was mitigated, among other elements.
‍
In the event of a breach of unsecured PHI, the HIPAA Breach Notification Rule requires that covered entities communicate notification of the breach to any affected individuals, the U.S. Department of Health & Human Services, and in some cases, the media.
‍
HIPAA compliance is required of organizations and employees who work in or with the healthcare industry, or who have access to protected health information. A covered entity or business associate that fails to adhere to one or more of the HIPAA Rules is in violation of HIPAA; organizations that violate the provisions of the HIPAA Rules may be penalized. Penalties for HIPAA breaches are strict and can significantly impact an organization’s finances and reputation.