Software for HIPAA

HIPAA Breach Notification Rule (BNR)

The HITECH Act introduced new requirements for the disclosure of information breaches and saw the Breach Notification Rule added to HIPAA. The HIPAA Breach Notification Rule requires covered entities and their business associates to report breaches of PHI information to affected individuals, HHS, and in some cases to the media. A breach is defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule.

Most notifications must be provided no later than 60 days following the breach discovery. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.