Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered …show more content…
This notification to the HHS needs to be done at the same time that the individuals who are affected are notified.
With breaches that involve less than 500 individuals, covered entities have to maintain a record of the breaches and submit them to the HHS within "60 days after the end of the calendar year in which the breach occurred."
Some exceptions to a breach are unintentional acquisition (by a workforce member acting under the authority of a covered entity or business associate), inadvertent disclosure (from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at a covered entity or business associate), recipient would not be able to retain information (does not include disclosure of PHI if the covered entity or BA has a good faith belief the unauthorized individual who received the PHI would not be able to retain the