Providers and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. Thus, concerning an impermissible use or disclosure, a provider (or business associate) should maintain documentation showing that all required notifications were made, or documentation to demonstrate that notification was not required:
- the risk assessment demonstrated a low probability that the protected health information has been compromised by the impermissible use or disclosure
- the application of any other exceptions to the definition of “breach”
Providers are also required to comply with certain administrative requirements concerning breach notification. For example, providers must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.