What is "Mitigation" under the HIPAA Privacy Rule?

Modified on Mon, 11 Dec, 2023 at 12:33 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.  



Per the Privacy Rule at 45 CFR 163.530(f), a covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of the Privacy Rule by the covered entity or its business associate.

As part of this mitigation requirement, covered entities should:

1. Ensure that mitigation plans are developed, implemented, and applied in accordance with the covered entity's policies and procedures.  

2. In response to a report of or information about a workforce member’s or business associate’s unauthorized use or disclosure of PHI, act promptly to reduce any known or reasonably anticipated harmful effects from the disclosure.  

3. Contact the recipient of the information that was subject of the unauthorized disclosure and request that such recipient either destroy or return the information. 

4. Take other appropriate action to prevent further use or disclosure PHI that was used or disclosed without authorization.




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article