Beruflich Dokumente
Kultur Dokumente
Amrit Virdee
The HIPAA Breach Notification Rule mandates that HIPAA covered entities provide
notification following a breach of unsecured protected health information. The Secretary of the
US Department of Health and Human Services (DHS) must be notified of the breach by using a
The obligations for reporting a breach differ based on whether more or less than 500 individuals
where involved in the breach. If the number of individuals affected by a breach is unknown an
estimate can be used which can then be updated on the portal if additional information is
discovered. The steps required for notification can be broken down into 3 critical step; sending
individual notices, providing information via a media channel and notifying the secretary about
the breach, and these are dependent on how many individuals were affected by the breach.
The first step would be to send individual notices to all affected individuals without
unreasonable delay and no later than 60 days following the discovery of the breach in a written
form sent via first class mail or via email if the individual has agreed to receive such notices.
The individual notices must include a brief description of the breach, the types of information
that may have been disclosed, the steps affected individuals need to take to protect themselves
from potential harm, covered entity contact information and a description of what the covered
entity is investigating, how they are mitigating any harm and how they will prevent further
breaches. If the covered entity has insufficient or out of date contact information for 10 or more
individuals, the covered entity must then provide a substitute notice such as posting on a website
for at least 90 days or provide a notice in a major print or broadcast media. The substitute notice
must include a toll-free number that concerned individuals can call to learn more about the
breach. This number must remain active for at least 90 days. The second step involves sending
STEPS YOU WOULD TAKE WHEN CONDUCTING A FEDERALLY MANDATED: 3
a media notice in the form of a press release without unreasonable delay and no later than 60
days following the breach of the discovery. The media notice requirement only applies to
breaches that involve 500 or more individuals of a State or jurisdiction. The media outlets
utilized must serve that affected State or jurisdiction. The third step involves notifying the
Secretary through the online portal mentioned above. If the breach affects 500 or more
individuals, covered entities must notify the Secretary without unreasonable delay and no later
than 60 days after the discovery of the breach. If the breach affects less than 500 individuals the
covered entity may notify the Secretary on an annual basis and no later than 60 days after the end
References:
Secretary, H. O., & (OCR), O. F. (2017, June 16). Covered Entities and Business Associates.
entities/index.html
Secretary, H. O., & (OCR), O. F. (2013, July 26). Breach Notification Rule. Retrieved July 29,