hipaa-breach-notify

Installation
SKILL.md

HIPAA Breach Notification Rule — 45 CFR §164.400-414

Overview

The HIPAA Breach Notification Rule, added by the HITECH Act of 2009 and finalized in the Omnibus Rule of 2013 (78 FR 5566), requires covered entities and business associates to provide notification following a breach of unsecured protected health information (PHI). The rule establishes specific timeframes, content requirements, and reporting obligations that vary based on the number of individuals affected. Post-2013, the rule applies a presumption that any impermissible acquisition, access, use, or disclosure of PHI is a breach unless the covered entity demonstrates through a risk assessment that there is a low probability the PHI was compromised.

Definition of Breach — §164.402

What Constitutes a Breach

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.

Presumption of Breach

Under the 2013 Omnibus Rule, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates through a four-factor risk assessment that there is a low probability that the PHI has been compromised.

Four-Factor Risk Assessment — §164.402(2)

Installs
8
GitHub Stars
187
First Seen
May 26, 2026
hipaa-breach-notify — mukul975/privacy-data-protection-skills