A stolen laptop, a missing thumb drive, lab results faxed to the wrong number or a medical chart recycled intact instead of shredded. What must you do if unauthorized people access your patients’ health information?

These instances are potential breaches of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule that took effect on Sept. 23. As such, a provider may be required to notify the affected patients, the secretary of the U.S. Department of Health and Human Services (HHS), and, in certain circumstances, the media that patient health information is no longer private.

This article defines relevant HIPAA terms, explains the risk assessment analysis, and describes when various breach notifications are required and what they must contain.

A breach is the unauthorized acquisition, access, use or disclosure of unsecured PHI that poses a significant risk of financial, reputational or other harm to...

You do not currently have access to this content.