Determining HIPAA-Reportable PHI Breaches Visual Checklist

Summary

This visual checklist provides an overview of the key questions to ask when determining whether a data breach constitutes a reportable breach of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, 45 C.F.R. §§ 164.400 through 164.414. Under the Breach Notification Rule, HIPAA-defined covered entities (CEs)—healthcare providers, plans, and clearinghouses—must notify affected individuals, the federal government, and, in some cases, the media following reportable breaches of individuals' PHI.