[45 CFR §§ 164.400-414]
The HIPAA Breach Notification Rule requires HIPAA Covered Entities and their Business Associates to provide notification following a breach of Unsecured Protected Health Information (PHI).
Following a breach of Unsecured PHI, Covered Entities must provide notification of the breach to affected individuals, the Secretary of Health and Human Services, and – in some circumstances – to the media. Business Associates must notify Covered Entities if a breach occurs at or by the Business Associate. Notifications will be carried out in compliance with the Health Information Technology for Economic and Clinical Health Act (HITECH), as well as any other applicable federal or state notification law.
Notification is not required if PHI is secure via encryption; provided, however, that encryption keys must be kept on a separate device from the data they encrypt or decrypt. Nothing in this policy is meant to require a Covered Component to provide information to an individual that is privileged under the attorney-client privilege, licensed mental health professional or other privilege laws. Further, the NIU Hybrid Covered Entity will not disclose the names of any employees or other individuals involved in the breach or any specific sanctions taken against such employees.