The approach we take in the article is to use the breach notification process as a backdrop to point out a number of "holes" you may have in your HIPAA/HITECH compliance initiative, ones that you are likely not even aware of.
Tracking Security Incidents?
How Do You Know It's a Breach?
In order to determine whether Breach Notification is triggered you need to follow a methodology that is mandated by the Breach Notification Rule ("Rule"). Although the Rule contains a basic methodology that is inherent in its text, it is not presented as such in the regulations. HIPAA/HITECH remain descriptive as opposed to prescriptive. That is, the regulations inform you as to what is required, but have very little (mostly nothing) to say about how you should go about complying.
The methodology consists of a three part analytical framework which we turn our attention to next. Although the framework only consists of three parts, it is significantly more complex than it first appears.