What is required of covered entities under the Breach Notification Rule?

The requirement for covered entities under the Breach Notification Rule is to notify affected individuals when a breach of their protected health information (PHI) occurs. This rule, established under the Health Insurance Portability and Accountability Act (HIPAA), mandates that if a breach affects 500 or more individuals, the covered entity must notify the affected individuals promptly, as well as notify the Secretary of Health and Human Services and the media in certain cases. This process is designed to ensure that individuals are aware of potential risks to their privacy and security and can take necessary actions to protect themselves.

The other options involve actions that are not mandated under the Breach Notification Rule. Providing a new notice of privacy practices to all patients is not a requirement specific to breaches, nor is creating a new health record number for each patient related to breach notifications. While having a privacy officer is a best practice for compliance, it is not specifically required by the Breach Notification Rule itself.