Skip to main content
  • Home
  • Dashboard
  • Contact Us
  • Search
  • Log In
Logo
Menu
  • About Us

      Our financial reward program recognizes your commitment to quality medicine.

      Learn More
    • Board of DirectorsCurrent members of the Board
    • OfficersCurrent officers of the Company
    • ProducersFind a Producer
    • Notes from the Chair NewsletterImportant information for our Insureds
    • Contact UsContact Us for more information
    • Company OverviewLearn more about PROFESSIONALS ADVOCATE
    • FinancialsView our annual report
    • Mutual Advantage PlanA financial reward program
  • Coverages

      e-dataRESPONSE+ Cyber Liability Coverage provides critical protection in case of a breach.

      Learn More
    • Coverages OverviewLearn about our coverages
    • Policies & CoveragesLearn about our policies and coverages
    • Premium & BillingLearn about our Premium and Billing
    • MedguardDisciplinary defense coverage
    • e-dataRESPONSE+Cyber breach liability coverage
  • Claims

      If you have been contacted by an attorney regarding your care of a patient, read this now

      Learn More
    • Request Claims HistoryReceive a copy of your claims history
    • Claims PortalTrack your open claims
    • Claims FAQCommon questions about claims
    • Claims OverviewOur claims philosophy
    • How to Report a ClaimWhat to do when you receive a claim
  • Risk Management

      Our Risk Management education programs provide CME Credits and premium discounts. Register today!

      Register
    • Risk Management OverviewOur risk management philosophy
    • Resources/SearchSearch our comprehensive library
    • Doctors RX NewsletterOur risk management newsletter
    • Education ProgramsRegister for a risk management program
    • Security Risk AssessmentEvaluate the security of your practice
    • AlertsAlerts issues by medical organizations
    • Practice Manager ToolboxAn online resource designed for Practice Managers
    • AI Risk ManagementArtificial Intelligence
    • Practice Self-Assessment SurveyTake the practice self-assessment survey
    • Med-RiteLearn more about Med-Rite
    • PodcastsListen to risk management podcasts
    • Risk Management FAQCommon Questions about Managing Risk
  • Resources

      Browse our comprehensive research library for information on HIPAA, EMR, claims, and much more

      Search
    • LinksLinks to helpful organizations
    • Claims ResourcesInformation about the claims process
    • Risk Management ResourcesA comprehensive risk management library
    • Practice Manager ToolboxAn online resource designed for Practice Managers
    • eDelivery RESOURCES
      Links to helpful information about eDelivery

Practice Manager Toolbox

  • Billing and Insurance
  • Compliance
  • Cyber Security
  • EHR Optimization
  • Patient Engagement
  • Practice Operations

Resources

HIPAA Breach Decision Tree

This document is intended to assist you and your practice when investigating a potential breach. We also recommend contacting us should you experience a breach.

HIPAA Breach Decision Tree

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.


Definition of Breach

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:


The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the protected health information or to whom the disclosure was made; Whether the protected health information was actually acquired or viewed; and The extent to which the risk to the protected health information has been mitigated. Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.


When Determining the existence of a breach, the HIPAA Breach Decision Tree should be utilized as a tool for breach identification.

Reference: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html