Download PDF
Effective Date: August 1, 2013 Revised: November 1, 2018

HIPAA Policies for Healthcare Providers at Covered Components: Policy 7, Breaches

Responsible Office Research Compliance

HIPAA Policies for Health Care Providers Collection

Previous Section: Health Care Providers Policy 6: Individuals’ Rights under HIPAA

7.1 Obligation to Report Potential Breaches

Any Workforce Member who learns that a potential breach of PHI may have occurred, s/he must immediately notify his or her supervisor and/or the Covered Component’s HIPAA Contact.  The HIPAA Contact shall ensure the report is forwarded immediately to one of the following:

Failure to make a report in circumstances where the Workforce Member is required to do so may lead to discipline, up to and including termination of employment.

7.2 No Retaliation

Neither Covered Components nor anyone else affiliated with BU may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for his/her exercise of any right established by, or for participation in any process provided for, these policies or the law, including:

  • Filing a complaint with the Covered Component;
  • Filing a complaint with governmental authorities;
  • Assisting or participating in an investigation or compliance review by BU or its agents;
  • Testifying in a proceeding or hearing by governmental authorities under HIPAA; or
  • Opposing any act or practice made unlawful by HIPAA, provided the individual has a good faith belief that the practice opposed is unlawful and the manner of opposition is reasonable and does not involve an impermissible disclosure of PHI.

Individuals who report breaches may be subject to the protections of the University’s Code of Ethical Conduct.

7.3 Investigation and Remedial Action for Reports of Potential Breaches

Responsibility to Receive, Record and Investigate Reports

BU’s HIPAA Privacy Officer and HIPAA Security Officer will:

  • receive and respond to all notifications of the use or disclosure of PHI in violation of these Policies or of HIPAA;
  • record all reports of potential breaches;
  • investigate each according to the University’s Data Breach Management Plan to determine whether the circumstance constitute a breach; and
  • document the conclusion.

In investigating electronic incidents the HIPAA Security Officer or HIPAA Contact follow Information Security’s First Responder Checklist to ensure that critical evidence is preserved.  In addition, any Workforce member should take reasonable precautions against physical threats to information, such as closing a door found open, locking cabinets and doors and similar steps.


Upon request, BU will make all reasonable efforts to protect the confidentiality of persons reporting violations of law or of BU HIPAA policies or procedures to the extent practicable, given the nature of the investigation.

Response to Breach

If PHI has been used or disclosed in violation of BU policy or HIPAA requirements, BU will mitigate, to the extent practicable, any known harmful effects.  Examples of actions that will be taken, depending on the circumstances, include the following:

  • If the violation involves a continuing unauthorized disclosure of PHI, steps will be taken to end the practice immediately.
  • If the violation involves an unlawful activity or practice, the activity or practice will be stopped, and the Office of the General Counsel will be notified of the violation.
  • If the same or a similar violation could or might be prevented in the future by making changes to HIPAA policies and procedures, training or guidance, such changes will be instituted and promptly communicated to all affected employees.

7.4 Breach Notifications

In the event the BU HIPAA Privacy and/or Security Officer determines a Breach has occurred, they will notify the affected patients, the media and the Secretary, as applicable and as required under HIPAA, and will take appropriate remedial actions.

7.5 Enforcement and Sanctions

Members of the Workforce who are determined to have violated these policies or a Covered Component’s procedures may be subject to disciplinary action, up to and including termination of employment.