Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            How to Report a HIPAA Breach

            Modified on Tue, 10 Feb at 10:29 PM

            Summary
            This article explains what constitutes a HIPAA breach, how breaches are discovered, and the process for reporting them to Zaya’s Compliance team. It also covers confidentiality and non-retaliation protections for reporters.


            Breach Definition

            A breach is the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a way not permitted under the HIPAA Breach Notification Rule that compromises its security or privacy.


            Breach Discovery
            A breach is considered discovered:

            • On the first day it becomes known to Zaya; or

            • When, through reasonable diligence, it would have been known to Zaya or its workforce or agents (excluding the person who caused the breach).


            Reporting a Breach

            Providers who suspect PHI has been compromised must immediately report it to compliance@zayacare.com using the email template below:


            Send to: compliance@zayacare.com

            Subject: HIPAA Breach Report [Breach Type]

            Message format:

            • Date discovered – When the breach was identified

            • Date of breach – When the breach occurred (if known)

            • Type of breach – Include all that apply:

              • Unauthorized Access or Disclosure

              • Lost or Stolen Devices

              • Hacking / IT Incidents

              • Improper Disposal

              • Misdirected Communication

              • Insider Threats

              • Third-Party Breach

            • Narrative summary – Description of events leading to the breach

            • Location of breach – Systems or vendors involved

            • PHI involved – Types of data exposed (generic descriptions only; do not include PHI in the email)

            • Individuals affected – Number of people impacted


            Zaya’s Compliance Officer will acknowledge receipt of the report within 3 business days. A formal investigation will then be conducted to assess impact and implement risk mitigation. Stakeholders affected will be notified of investigation results and next steps as needed.


            Confidentiality and Non-Retaliation

            Individuals reporting breaches in good faith are protected from retaliation under 45 CFR § 160.316. All reports are treated confidentially under 45 CFR § 164.530(g). Identity disclosure is limited to those necessary to investigate and resolve the matter.




            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0