A covered entity breaches a patient’s PHI. What must they do next?

When a covered entity breaches a patient's Protected Health Information (PHI), the next required action is to notify the patient of the breach. This obligation stems from the HIPAA Breach Notification Rule, which mandates that individuals must be informed when their PHI has been compromised. This notification must occur without unreasonable delay and within a specific timeframe, generally no later than 60 days after the breach is discovered.

Notifying the patient is crucial as it empowers them to take necessary precautions to protect themselves from potential identity theft or fraud resulting from the breach. It also fosters transparency and trust between healthcare providers and patients by affirming the provider's commitment to handling sensitive information responsibly.

The other options do not align with the requirements established under HIPAA. Ignoring a breach, regardless of its perceived severity, does not fulfill legal obligations. Reporting a breach to the police may be necessary in cases involving criminal activity, but it is not a prerequisite action under HIPAA. Updating privacy policies is important for future prevention but does not address the immediate need for notification in response to a breach.