hipaa-breach-notification

Installation
SKILL.md

Executing HIPAA Breach Notification

Overview

The HIPAA Breach Notification Rule (45 CFR §§164.400-414) requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). This skill covers the complete HIPAA breach notification workflow, including the four-factor risk assessment, individual notification requirements, HHS/OCR reporting obligations, state attorney general notification, and media notification thresholds.

Key Definitions

Term Definition Source
Breach Acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI 45 CFR §164.402
Unsecured PHI PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction per HHS guidance 45 CFR §164.402
Covered Entity Health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically 45 CFR §160.103
Business Associate Person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity 45 CFR §160.103
Discovery The first day the breach is known to the covered entity (or would have been known through reasonable diligence) 45 CFR §164.404(a)(2)

Four-Factor Breach Risk Assessment — 45 CFR §164.402(2)

A covered entity must assess the probability that PHI has been compromised using four factors:

Installs
10
GitHub Stars
187
First Seen
May 26, 2026
hipaa-breach-notification — mukul975/privacy-data-protection-skills