Breach Investigation and Notification

2025.04.16

To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ePHI occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH) as well as any other federal or state notification law. The Federal Trade Commission (FTC) has published breach notification rules for vendors of personal health records as required by ARRA/HITECH. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009 with full compliance required by February 22, 2010.

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Title XIII of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH significantly impacts the Health Insurance Portability and Accountability (HIPAA) Privacy and Security Rules. While HIPAA did not require notification when patient protected health information (PHI) was inappropriately disclosed, covered entities and business associates may have chosen to include notification as part of the mitigation process. HITECH does require notification of certain breaches of unsecured PHI to the following: individuals, Department of Health and Human Services (HHS), and the media. The effective implementation for this provision is September 23, 2009 (pending publication HHS regulations).

In the case of a breach, ClearHealth shall notify all affected Customers. It is the responsibility of the Customers to notify affected individuals.

Policy Statements

ClearHealth policy requires that:

(a) Breach notification procedures are invoked upon confirmation of a security breach that results in unauthorized disclosure of unprotected/unencrypted sensitive data.

(b) Individuals impacted by a confirmed data breach must be notified within 60 days of discovery of such breach.

(c) In the event of a data breach that involves unencrypted ePHI, ClearHealth must report the breach to individuals impacted following the HIPAA Breach Notification requirements (45 CFR Part 164, Subpart D).