HIPAA Privacy Breach Reporting Policy

Policy: HIPAA Privacy Breach Reporting

Policy Number: 202 Policy Section: Compliance
Owner: Compliance Officer Approved By: Paul Vogelman, COO
Effective Date: 2/04/2022 Date of Last Review: 3/23/2023

SUD Specialty Group -- CA; Mental Health Specialty Group, P.A.; Mental Health Specialty Group NJ, PC; and Mental Health Specialty Group KS, P.A. (collectively, the "Group") contracts with Path CCM, Inc. d/b/a Rula Health ("Rula") for management and administrative support services. This policy applies to the Group and Rula.


Policy Statement

This policy outlines the requirements for reporting and investigating breaches or suspected breaches related to patient-protected health information as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 



This policy applies to all team members. For purposes of this policy, the Group’s and Rula’s team members include individuals who would be considered part of the workforce such as employees, independent contractors, business team members, and other persons whose work performance is under the direct purview of Rula or the Group’s business practices. 



Breach: is an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.  



  1. All team members, independent contractors, and business associates with access to protected health information shall report suspected breaches of privacy or suspected or actual violations of Rula’s HIPAA privacy and security policies and procedures. 
    1. If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach.  A business associate must provide notice to the covered entity without unreasonable delay and no later than 30 days from the discovery of the breach.  
    2. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.
  2. Notification
    1. The team member, independent contractor, or business associate discovering the suspected breach or violation of policy must notify the Privacy Officer, or authorized representative immediately regarding the incident.
    2. The notification should be in writing and be completed using Rula’s Compliance Hotline.
    3. Steps should be initiated as soon as possible to mitigate the risk of a further breach. For example: immediately locking a workstation/laptop so that the screen cannot be viewed or requesting a recall on an email sent. 
    4. The legal team will be notified of any occurrence representing a potential liability claim. 
  3. Investigation 
    1. The Privacy Officer or authorized representative will facilitate the investigation of the suspected breach or violation.
    2. Team members, independent contractors, and business associates are required to participate in and fully cooperate with the investigation. 
  4. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.
  1. Results of the Investigation
    1. A written summary of the investigation and action(s) taken will be kept on file in accordance with the Record Retention and Destruction policy.
    2. The written summary will include whether or not the report resulted in a breach of privacy, any action(s) taken to mitigate the risk associated with the breach, and any external reporting requirements that were completed.
  2. External Notifications of Identified Breaches
    1. Affected Individual(s) Notification: A written notification will be provided to affected patients 60 days from the date the breach was discovered.
      1. A notification can occur via email, if the affected individual(s) has agreed to receive notices electronically. 
      2. If there is insufficient or out-of-date contact information for 10 or more individuals, a substitute individual notice by either posting the notice on the home page of its website for at least 90 days will be provided or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If there is insufficient or out-of-date contact information for fewer than 10 individuals, a substitute notice may be provided by an alternative form of written notice, by telephone, or other means. 
      3. The written notification will include the following information: 
        1. A brief description of the breach,
        2. A description of the types of information that were involved in the breach, 
        3. The steps affected individuals should take to protect themselves from potential harm, 
        4. A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, 
        5. Contact information (or business associate contact information, if applicable) 
    2. Media Notification 
      1. If there is a breach affecting more than 500 residents of a State or jurisdiction, in addition to notifying the affected individuals, a notice will be provided to prominent media outlets serving the State or jurisdiction.  
      2. This notification will occur no later than 60 days following the discovery of the breach and will contain the same information required in the individual notice. 
    3. Notification to Secretary of Health and Human Services
      1. The Secretary will be notified of breaches of unsecured protected health information via the HHS website and completing the required form.  
      2. If a breach affects 500 or more individuals, the Secretary will be notified no later than 60 days following the discovery of the breach. 
      3. If, however, a breach affects fewer than 500 individuals, notification will occur on an annual basis as required. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.
  3. Enforcement and Sanctions: All team members and business associates shall adhere to this policy. Violations of this policy can result in disciplinary action up to and including termination of employment or independent contractor status and potential criminal or professional sanctions in accordance with applicable law.


Attachments: None

Was this article helpful?

0 out of 0 found this helpful