hipaa-breach-notification
Installation
SKILL.md
Executing HIPAA Breach Notification
Overview
The HIPAA Breach Notification Rule (45 CFR §§164.400-414) requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). This skill covers the complete HIPAA breach notification workflow, including the four-factor risk assessment, individual notification requirements, HHS/OCR reporting obligations, state attorney general notification, and media notification thresholds.
Key Definitions
| Term | Definition | Source |
|---|---|---|
| Breach | Acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI | 45 CFR §164.402 |
| Unsecured PHI | PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction per HHS guidance | 45 CFR §164.402 |
| Covered Entity | Health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically | 45 CFR §160.103 |
| Business Associate | Person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity | 45 CFR §160.103 |
| Discovery | The first day the breach is known to the covered entity (or would have been known through reasonable diligence) | 45 CFR §164.404(a)(2) |
Four-Factor Breach Risk Assessment — 45 CFR §164.402(2)
A covered entity must assess the probability that PHI has been compromised using four factors: