About this course:
This course reviews the core components of HIPAA, personal rights guaranteed under HIPAA, and the responsibilities of healthcare providers to comply with the law.
This module will review the core components of HIPAA, the personal rights guaranteed under HIPAA, and the compliance responsibilities of healthcare providers.
Upon completion of this activity, learners should be able to:
- identify the core components of HIPAA and patient rights
- outline the Privacy, Security, and Breach Notification Rules and the procedures for using and disclosing patient health information
- discuss HIPAA compliance issues and challenges and the consequences for noncompliance
- review good privacy practices for organizations, agencies, and individual healthcare professionals
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that applies in all 50 states and US territories. It mandates compliance with national regulatory standards to safeguard the privacy and security of all "individually identifiable health information." The Privacy Rule calls this information "protected health information or PHI." HIPAA gives patients the rights to their health information and protects sensitive and individually identifiable PHI from being disclosed without consent. HIPAA compliance is regulated by the US Department of Health and Human Services (HHS) and is enforced by the HHS Office for Civil Rights (OCR). Violations may result in civil monetary penalties, and criminal penalties may be enforced by the US Department of Justice (DOJ; Centers for Medicare & Medicaid Services [CMS], 2021a; HHS, 2021b).
HIPAA Background and Evolution
HIPAA was signed into law by President Bill Clinton on August 21, 1996, and it officially became effective on July 1, 1997. HIPAA was initially intended to improve the portability and accountability of health insurance coverage. The act promoted medical savings accounts by introducing tax breaks and ensured healthcare coverage for employees with pre-existing medical conditions. It also guaranteed the continuation of coverage when individuals changed employers. Since then, the act has evolved to encourage the conversion of paper files to electronic sources while safeguarding the protection and security of personal information. It also defines actions covered entities must take to notify victims of breaches to their PHI and mitigate the damage incurred. Persons or agencies and businesses that furnish, bill, or receive payment for healthcare in the ordinary course of business must comply with HIPAA laws. The HIPAA Privacy Rule establishes standards for protecting PHI held by persons and entities required to comply with these laws (see Table 1; CMS, 2021a; HHS, 2021b).
The Privacy Rule
The Privacy Rule sets national standards and mandates for how PHI may be used and disclosed. It applies to all forms of PHI, "held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral" (HHS, 2013b). It also applies to email and fax and prohibits the exchange of PHI with anyone who does not have a legitimate right to access it. PHI includes many standard identifiers, such as a person’s name, address, birth date, and Social Security number (see Table 2). The primary goal of the Privacy Rule is to ensure that PHI is protected without precluding the transmission of necessary health information to deliver high-quality care and protect the overall health and well-being of the public. Therefore, the Privacy Rule focuses on the careful balance between utilizing necessary information and protecting patient rights and privacy when seeking care. It is intended to be flexible and comprehensive to cover the various uses and disclosures that must be addressed across a diverse and evolving healthcare system. The Privacy Rule pertains to healthcare providers and services, whether they transmit transactions directly or utilize a billing service or other third party to do so on their behalf (CMS, 2021a; HHS, 2013b, 2021b).
PHI includes information that relates to:
- an individual's past, present, or future physical or mental health or condition(s)
- the provision of healthcare to an individual
- past, present, or future payment for the provision of healthcare to the individual (HHS, 2013b)
The Privacy Rule protects information that alone or combined may identify a patient, their relatives, employer, or household members. Therefore, PHI that contains any patient identifier is protected under HIPAA. Table 2 provides examples of the most common healthcare identifiers and locations of PHI (HHS, 2013b).
The Privacy Rule articulates individuals’ rights regarding personal health information, including the right to access, inspect, and obtain a copy of their health records in the form and manner they request. Individuals have the right to request corrections to their PHI if the information is inaccurate or incomplete. Individuals have the right to receive a notice of privacy practices and obtain an account of disclosures of their PHI within 6 years leading up to the date of the request (HHS, 2013b).
Healthcare Providers and Health Plan Requirements
For healthcare providers and health plans, the Privacy Rule mandates core actions, such as:
- notifying patients about their privacy rights and how their information can be used
- notices of privacy practices must be provided at the time of coverage enrollment
- participants must be notified that privacy practices are available and how they can obtain them at least once every 3 years
- adopting and implementing privacy procedures
- training employees, so they understand and comply with the privacy procedures
- designating responsible persons for enforcing, overseeing, and monitoring ongoing compliance with all privacy procedures
- securing all forms of patient records that contain identifiable health information, so they are not readily available to those who do not need them (HHS, 2013b)
Covered Entity Requirements
A covered entity is permitted, but not required, to use and disclose PHI without an individual's authorization for six specific purposes, as outlined in Table 3 (HHS, 2013b). Under HIPAA, before a covered entity can share PHI for any of the purposes noted in Table 3, the following three requirements must also be met (OCR, 2016):
- Both covered entities must have or have had a relationship with the patient (i.e., former and current patients).
- The PHI requested must pertain to the relationship.
- The discloser must release only the minimum information necessary for the healthcare operation at hand.
A covered entity may rely on professional ethics and best judgments when deciding which of the above permissive uses and disclosures to enact. They may also rely on an individual's informal permission to use or disclose PHI to notify (including identifying or locating) family members, personal representatives, or others responsible for the individual's care of their location, general condition, or death. Furthermore, PHI may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts (HHS, 2012b)
330102285-Screen+Shot+2021-08-30+at+9.28.16+AM.png" style="width: 680px;" class="fr-fic fr-dib">
Furthermore, covered entities must train all workforce members on their privacy policies and procedures as necessary and appropriate to carry out HIPAA requirements and functions. Initial HIPAA training is required “no later than the compliance date for the covered entity” and “to each new member of the workforce within a reasonable period after the person joins the covered entity’s workforce” (HHS, 2013b). Healthcare organizations and agencies require HIPAA training during onboarding and at least annually. Employees must complete a documented attestation verifying their mandated training. There are no restrictions for using or disclosing de-identified health information (i.e., data that neither identify nor provide a reasonable basis to identify an individual). According to the HHS (2013b), there are two techniques to de-identify information properly:
- by formal determination by a qualified statistician; or
- by removing all specified identifiers of an individual and their relatives, household members, and employers, which is required and adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual (HHS, 2013b)
The HIPAA Security Rule sets national standards to secure the transmission, use, and handling of all electronic PHI (ePHI). It applies to all covered entities that share and transmit ePHI and outlines the precautions each entity must implement to safeguard the confidentiality, integrity, accessibility, and availability of ePHI. Before HIPAA, there was no universal security standard or general requirement for protecting health information in health care. However, as innovative and novel technologies emerged and the healthcare industry began to rely more heavily on electronic information systems to pay claims, provide health information, and conduct a host of other administrative and clinically based tasks, the security of ePHI became increasingly vital. Since privacy and security go hand-in-hand, the Security Rule protects a subset of information covered by the Privacy Rule. However, while the Privacy Rule covers the "what" (i.e., what information is protected), the Security Rule focuses on the "how" (i.e., how the information is protected). The Security Rule does not apply to PHI transmitted orally or in writing. Under the Security Rule, healthcare organizations and agencies must delineate the specific procedures they will implement to protect ePHI in their HIPAA Policies and Procedures and train employees on these topics annually, with documented confirmation (HHS, 2013c).
The Security Rule includes the following specific physical, technical, and administrative protections that all covered entities must uphold:
- ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted
- identify and protect against reasonably anticipated threats to the security or integrity of the ePHI
- guard against reasonably anticipated, impermissible uses or disclosures
- ensure compliance by their workforce (HHS, 2013c)
Examples of physical safeguards include implementing workstation and device security features and limiting physical access to facilities to authorized persons only. Administrative protections include security personnel responsible for developing and implementing all security processes and procedures, workforce training, and evaluation. Specific technical safeguards include audit controls and transmission security (e.g., private and password-protected electronic networks; HHS, 2013c). Today, healthcare providers primarily utilize electronic health records (EHR), digital clinical applications such as computerized provider order entry (CPOE) systems, and electronic radiology, pharmacy, and laboratory systems. In addition, health plans provide electronic access to claims, care management, and member self-service applications. These advancements allow for more accessible, mobile, adaptive, and efficient healthcare services. However, the increased use and reliance on these technologies heighten the risk for potential security breaches (HHS, 2013c).
A primary goal of the Security Rule is to protect the privacy of ePHI while allowing covered entities to adopt novel technologies to improve the quality, competence, and effectiveness of patient care. Since the healthcare marketplace is diverse and continually evolving, the Security Rule was designed to be flexible and scalable to allow a covered entity to implement policies, procedures, and technologies based on their size, organizational structure, unique needs, and risks to their consumers’ personal information (see Table 5). In addition, covered entities can analyze their needs and implement solutions appropriate for their specific environment, workforce, and resources (HHS, 2013c).
The Security Rule defines "confidentiality" as ePHI that is not available or disclosed to unauthorized persons. Its confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of ePHI. In addition, the Security Rule promotes two other goals of maintaining the integrity and availability of ePHI. The Security Rule defines "integrity" as ePHI that is not altered or destroyed unauthorizedly. "Availability" denotes ePHI that is accessible and usable on demand by an authorized person (HHS, 2013c).
The Breach Notification Rule
The Breach Notification Rule is a set of standards that covered entities and business associates must follow if a data breach containing PHI or ePHI occurs. It delineates the requirements for breach reporting depending on the extent and size of the breach. According to the HHS (2013a), a breach is defined as follows:
"generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
- the unauthorized person who used the protected health information or to whom the disclosure was made
- whether the protected health information was acquired or viewed
- the extent to which the risk to the protected health information has been mitigated."
An example of a data breach is when an employee's unencrypted company laptop with access to medical records is stolen from their apartment. Similarly, a data breach includes any stolen or lost laptop, smartphone, or USB device with accessible PHI (HHS, 2013a).
According to the HHS (2013a), there are three exceptions to the definition of a breach:
- the unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority
- the unintentional or inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized healthcare arrangement in which the covered entity participates
- if the covered entity has a good faith belief that the unauthorized person to whom the unauthorized PHI disclosure was made would not have been able to retain the information
In all the above cases, to qualify as an exception, the PHI cannot be further used or disclosed in a manner not permitted by the Privacy Rule (HHS, 2013a).
While organizations are required to report all breaches to the HHS, specific protocols for reporting vary based on the type and extent of the breach. The HIPAA Breach Notification Rule outlines how covered entities and business associates must respond in the event of a breach. Following a breach of unsecured PHI or ePHI, covered entities must notify affected individuals and (in certain circumstances) the media. Notifications must be provided without unreasonable delay and no later than 60 days after discovering the breach. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually; however, affected individuals must still be notified that their data were involved in a breach within 60 days of the breach discovery. Breaches affecting more than 500 individuals must also be reported to HHS within 60 days, and affected individuals must be notified immediately, but there are additional requirements for large-scale breaches. Local law enforcement agencies must be contacted, and local media agencies may be used to alert potentially affected individuals. Furthermore, they are posted on the HHS Breach Notification Portal, a permanent archive of all HIPAA violations caused by large-scale breaches in the US since 2009. This searchable database is a consequence of a HIPAA violation that can permanently damage the organization’s reputation. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate (Compliancy Group, 2021; HHS, 2013a, 2021a).
Between 2009 and 2020, 3,705 healthcare data breaches of 500 or more records were reported to the OCR. These breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 268,189,693 healthcare records, equating to greater than 80% of the US population. In 2018, healthcare data breaches of 500 or more records were reported at a rate of approximately 1 per day, and as of December 2020, that rate doubled. For 2020, the average number of breaches per day was 1.76. While the loss or theft of healthcare records and ePHI was the primary source of breach reports between 2009 and 2015, enhanced policies and procedures and the increased utilization of encryption have reduced these preventable breaches. Currently, hacking or information technology (IT) incidents are the leading cause of healthcare data breaches, followed by unauthorized access or disclosure. Advancements in technology have equipped organizations with the tools to detect breaches more readily when they occur (HIPAA Journal, 2020).
HIPAA Compliance Issues
Federal requirements preempt states laws with conflicting HIPAA rules; thus, federal regulations always apply. A HIPAA violation denotes any breach in HIPAA compliance (or failure to comply with any aspect of the HIPAA rules) that compromises the integrity of PHI or ePHI. A violation occurs when a HIPAA-covered entity or a business associate fails to comply with HIPAA Privacy, Security, or Breach Notification Rules provisions. Violations may be intentional or unintentional. An example of an unintentional HIPAA violation is when excess PHI is disclosed and the minimum necessary information standard is violated. Disclosed PHI must be limited to the minimum information required to achieve the purpose for which it is needed. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although the penalties will be less than for willful violations of HIPAA Rules (Compliancy Group, 2021; HHS, 2021a, 2021b).
HIPAA violations are typically different than data breaches. As cited in the example above regarding the stolen laptop leading to a data breach in PHI, a HIPAA violation would occur if the company whose laptop was stolen did not have a policy in place prohibiting laptops from being taken offsite (or requiring that they are all encrypted). Other examples of HIPAA violations include sending PHI or ePHI to the wrong patient or contact, sharing such information via social media posts, or discussing PHI outside of a private area where others can overhear the information. An example of a deliberate violation is unnecessarily delaying issuing breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications. In addition, many HIPAA violations result from negligence, such as the failure to perform an organization-wide risk assessment. Financial penalties for HIPAA violations have frequently been issued for risk assessment failures (Compliancy Group, 2021; HHS, 2021a, 2021b).
HIPAA Enforcement Rule and Penalties for Noncompliance
The HHS and OCR conduct complaint investigations and compliance reviews. The HIPAA Enforcement Rule sets civil monetary penalties for violating HIPAA rules and establishes investigations and hearings for HIPAA violations. If a covered entity's employees (including volunteers) do not follow all HIPAA laws, the federal government has the right to investigate and impose monetary penalties and jail sentences if found guilty. Penalties for HIPAA violations can potentially be issued for all HIPAA violations. However, the OCR typically resolves most cases through voluntary compliance, technical guidance, or accepting a covered entity or business associate's plan to address the violations and change policies and procedures to prevent future occurrences. Unintentional HIPAA violations can lead to civil penalties such as fines. However, a penalty may be waived in specific circumstances, such as if the violation was due to a reasonable cause and did not involve intentional neglect, and the covered entity corrected the damage within 30 days of recognizing the violation. Intentional unauthorized disclosure of PHI (e.g., deliberately selling information) and offenses that include willful neglect and pretenses can lead to substantial fines (e.g., up to $250,000) and/or incarceration. If the violations are serious or have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate. The US DOJ is responsible for enforcing criminal sanctions. Four categories (or tiers) are used for the penalty structure and are outlined in Table 6 (American Medical Association [AMA], 2021; HHS, 2013b, 2013c, 2020b; HIPAA Journal, 2020).
HIPAA Violation Case Study
In 2018, Boston Medical Center, Brigham and Women's Hospital, and Massachusetts General Hospital settled with the OCR for almost $1 million for compromising patient privacy while filming a television network documentary. These hospitals reached separate settlements and fines with OCR for inviting television crews to film on-site without first obtaining patient authorization. In addition to the monetary penalties, each hospital was required to implement staff training as part of its corrective action plans and policies and procedures regarding photography and video and audio recording. According to the settlement agreements, all three hospitals denied they impermissibly disclosed PHI and testified to obtaining appropriate consent. This was a breach because patients entering hospitals expect to encounter doctors, nurses, and other authorized staff while receiving treatment, not film crews recording them in private, vulnerable moments. Thus, hospitals must obtain the appropriate consent from patients before allowing unauthorized persons access to patients and their medical information. Likewise, in 2016, New York-Presbyterian Hospital settled with OCR for $2.2 million, when PHI was disclosed to a television crew during filming. The OCR cited the breach as "an egregious disclosure" (Davis, 2018).
Institutional Challenges and Strategies
HIPAA compliance is an ongoing process, and efforts seek to ensure that safeguards remain effective and staff members remain vigilant of their responsibilities regarding PHI and HIPAA. For example, regular risk analyses must be performed to identify new threats to PHI confidentiality, integrity, and availability; identified risks must be managed appropriately and reduced to an acceptable level. In addition, documentation should be maintained on compliance efforts and inspected by regulators if there is an audit, a complaint about an organization, or a breach of PHI (Compliancy Group, 2021; HHS, 2020b).
Significant HIPAA challenges for organizations include ensuring that patients receive their medical records promptly, attaining a level of security provided and maintained by IT (see Table 7), and balancing staff education with enforcement. With the development and increased use of patient EHR portals (e.g., MyChart), patients have greater access to their medical information than ever before. A lack of effective training is a common reason for HIPAA violations. Compliance training is a proactive, efficient, and effective way for organizations to prevent HIPAA violations. Organizations are encouraged to offer regular training (in-office, virtual, or on-demand), teach employees about HIPAA privacy and security regulations, and maintain an open-door policy encouraging employees to ask questions and report concerns. Since another common HIPAA violation is stolen or lost mobile devices (smartphones, iPads, laptops, etc.) that store PHI, organizations must enable encryptions, firewalls, and secure user authentication on each device. Certain technologies, software programs, and apps can remotely lock or wipe data if the device is lost or stolen (e.g., reset to factory defaults, thereby erasing all apps and data). Furthermore, organizations need to address the risk of social media HIPAA violations. They can enhance compliance by prohibiting employees from posting, texting, or transmitting workplace information, PHI, or photographs on social media outlets (Compliancy Group, 2021; Edemekong et al., 2021; HHS, 2017, 2020b; KentuckyRHIO, 2021).
Good Privacy Practices for Healthcare Professionals
There are several approaches that healthcare professionals can implement to ensure patient privacy and HIPAA compliance. Some of the most important activities include the following (Compliancy Group, 2021; HHS, 2020b):
- Ensure all papers and documents with PHI are kept in a secured area.
- Do not leave PHI exposed where others can access it.
- Handle and dispose of PHI securely. When PHI is not filed or used, it should be shredded immediately.
- Only discuss specific patient cases in private where other people cannot overhear the conversation, including other staff members not involved in the patient's care.
- Use passwords to prevent others from accessing your computer files and ensure your computer is locked every time you walk away from it.
- Minimize all PHI in email communication; include only the minimum necessary information.
- Ensure fax machines that receive PHI are placed in secure and private locations.
- Be mindful of where mobile devices are located at all times and lock them when not in use.
- Use social media wisely.
If healthcare professionals wrongfully disclose PHI, they should immediately inform their direct supervisor. They should provide the following information to their supervisor (or another designated HIPAA officer as outlined by the employer’s policy):
- whose PHI was disclosed,
- how it was disclosed,
- to whom,
- the date and time of the disclosure, and
- any actions taken to remedy the problem.
If they observe a colleague wrongfully disclosing PHI, they should confront the person who is wrongfully disclosing PHI, telling them what they saw and heard and explaining how PHI has been wrongfully disclosed. The observer should then immediately speak to their supervisor about the situation (HIPAA Journal, 2021).
How to File a Complaint
Anyone can file a health information privacy or security complaint if they feel there has been a violation of HIPAA. The complaint can be based on a violation that affected one’s or another person's PHI or any type of breach in HIPAA laws.
The complaint must be filed with the OCR's online complaint portal (https://www.hhs.gov/hipaa/filing-a-complaint/index.html) or by mail, fax, or email. The complaint must supply the following:
- information about the complainant
- the name of the covered entity or business associate involved
- a description of the acts or omissions believed to have violated the requirements of the Privacy, Security, or Breach Notification Rules
- file within 180 days of when the act or omission occurred or was first identified (OCR may extend this period if the complainant can demonstrate "good cause" for the delayed reporting; HHS, 2020a)
HIPAA prohibits retaliation against persons who file a complaint; thus, employees are protected from retribution for sharing a HIPAA-related privacy or security grievance. Any employee or representative of an employee who believes they have been retaliated against for disclosing HIPAA-protected information when reporting a workplace safety or health issue can file a whistleblower complaint with OSHA under Section 11(c) of the OSHA Act. The complaint must be filed within 30 days of the alleged retaliation (HHS, 2020a; OSHA, 2018).
American Medical Association. (2021). HIPAA violations & enforcement. https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement
Centers for Medicare & Medicaid Services. (2021a). Are you a covered entity? https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity
Centers for Medicare & Medicaid Services. (2021b). HIPAA basics for providers: Privacy, security, & breach notification rules. https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf
Compliancy Group. (2021). What is HIPAA compliance? https://compliancy-group.com/what-is-hipaa-compliance/
Davis, J. (2018). 3 Massachusetts hospitals fined nearly $1 million by OCR for HIPAA violations. https://www.healthcareitnews.com/news/3-massachusetts-hospitals-fined-nearly-1-million-ocr-hipaa-violations
Edemekong, P. F., Annamaraju, P., & Haydel, M. J. (2021). Health insurance portability and accountability act. StatPearls. https://www.ncbi.nlm.nih.gov/books/NBK500019/
HIPAA Journal. (2020). Healthcare data breach statistics. https://www.hipaajournal.com/healthcare-data-breach-statistics/
HIPAA Journal. (2021). How should you respond to an accidental HIPAA violation? https://www.hipaajournal.com/accidental-hipaa-violation/
KentuckyRHIO. (2021). Preventing HIPAA violations through practice compliance. https://krhio.org/preventing-hipaa-violations-practice-compliance/
Occupational Safety and Health Administration. (2018). OSHA fact sheet: Health privacy and OSHA whistleblower complaints. https://www.osha.gov/sites/default/files/publications/OSHA-factsheet-HIPPA-whistle.pdf
Office for Civil Rights. (2016). Permitted uses and disclosures: Exchange for health care operations; 45 code of federal regulations (CFR) 164.506(c)(4). https://www.hhs.gov/sites/default/files/exchange_health_care_ops.pdf
US Department of Health and Human Services. (2013a). Breach notification rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
US Department of Health and Human Services. (2013b). Summary of the HIPAA privacy rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
US Department of Health and Human Services. (2013c). Summary of the HIPAA security rule. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
US Department of Health and Human Services. (2017). Health information privacy beyond HIPAA: A 2018 environmental scan of major trends and challenges. https://ncvhs.hhs.gov/wp-content/uploads/2018/05/NCVHS-Beyond-HIPAA_Report-Final-02-08-18.pdf
US Department of Health and Human Services. (2020a). Filing a HIPAA complaint. https://www.hhs.gov/hipaa/filing-a-complaint/index.html
US Department of Health and Human Services. (2020b). The HIPAA enforcement rule. https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html
US Department of Health and Human Services. (2021a). Breach portal: Notice to the Secretary of HHS breach of unsecured protected health information. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
US Department of Health and Human Services. (2021b). HIPAA for professionals. https://www.hhs.gov/hipaa/for-professionals/index.html