!! Notify the ITS Department of any potential breach !!
Email firstname.lastname@example.org OR Call 704.815.7345 (Maxwell Group, Inc. ITS Breach line) if you believe electronic personal health information (ePHI) might have been lost, stolen, compromised, misdirected, etc. The ITS Department will work with you to determine the exposure (if any) and if notification is required.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires covered entities under HIPAA to follow specific rules relating to the discovery of a breach of protected health information. These rules require covered entities and business associates to do the following when a security breach is discovered:
- Provide notification to affected individuals and to the Secretary of HHS following the discovery of a breach of unsecured protected health information.
- For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, provide notification to the media of breaches.
- In the case of a breach of unsecured protected health information at or by a business associate of a covered entity, the Act requires the business associate to notify the covered entity of the breach.
A “breach is defined as the acquisition, access, use, or disclosure of protected health information in a manner which compromises its security or privacy.
A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.
A breach is considered discovered by a covered entity as of the first day the breach is known to the covered entity, or by exercising reasonable diligence would have been known to the covered entity. A covered entity is not liable for failing to provide notification in cases in which it is not aware of a breach unless the covered entity would have been aware of the breach had it exercised reasonable diligence.
The covered entity must send the required notification without unreasonable delay and in no case later than 60 calendar days after the breach was discovered.