DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
When a breach of unsecured PHI occurs, the entity sustaining the breach generally has breach notification obligations. These obligations are discussed below.
Notification Obligations of Covered Entities: Individuals
The HIPAA breach notification rule requires covered entities, following the discovery of a breach of unsecured PHI, to notify “affected individuals.” Affected individuals include each person whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of the breach.
The notification must be in writing and must be provided via first class mail without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach.
What Must a Breach Notification Letter Include?
The HIPAA breach notification letter to individuals must contain specific content. This content includes:
- A brief description of the breach. This description should include the date of the breach and the date of the discovery of the breach, if this information is known.
- A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved).
- Any steps individuals should take to protect themselves from potential harm resulting from the breach.
- A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an email address, website, or postal address.
Are There Any Other HIPAA Individual Breach Notification Letter Requirements?
The HIPAA breach notification letter must be written in plain language. This means that the notice should be written at an appropriate reading level, using clear language and syntax, and not include any unnecessary material that might diminish the message the notice is trying to convey.
Notice must be provided by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available.
Notification Obligations of Covered Entities: HHS
The rule also requires that covered entities notify the Department of Health and Human Services (HHS) of the breach. Covered entities must notify the HHS Secretary by visiting the HHS website and filling out and electronically submitting a breach report form.
If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 calendar days following the discovery of the breach. The breach reporting form for such breaches can be accessed by clicking here. Notice to HHS must be provided at the same time as the notice to individuals.
If a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 calendar days after the end of the calendar year in which the breaches are discovered. The breach reporting form for such breaches can be accessed by clicking here. Breaches affecting fewer than 500 people must be reported to affected individuals without unreasonable delay and in no case later than 60 calendar days following the discovery of the breach.
Notification Obligations of Covered Entities: Media Outlets
For a breach of unsecured protected health information involving more than 500 residents of a state, a covered entity must notify prominent media outlets serving the state, in addition to providing the required notice to affected individuals. Covered entities typically provide media notification in the form of a press release to appropriate media outlets serving the affected area. Media notification must be provided without unreasonable delay and in no case later than 60 calendar days following the discovery of a breach.
Notification Obligations of Business Associates
The breach notification rule also requires that business associates, following the discovery of a breach of unsecured PHI, notify the covered entity of the breach. This notice must be provided to the covered entity without unreasonable delay and in no case later than 60 calendar days after the business associate’s discovery of the breach. In turn, the covered entity must provide notice of the business associate breach to individuals, HHS, and (in cases involving more than 500 state residents) the media, as discussed above. That is, the covered entity must provide individual breach notification without unreasonable delay and in no case later than 60 days following the discovery of the breach; must provide media notification (when more than 500 residents of a state have been affected by the breach) without unreasonable delay and in no case later than 60 calendar days following the discovery of a breach; and must notify HHS of the breach either: 1. Without unreasonable delay and in no case later than 60 calendar days following the discovery of the breach (for breaches affecting 500 or more individuals); or 2. Within 60 days after the end of the calendar year in which a breach is discovered (for breaches affecting fewer than 500 individuals).
Content of Business Associate Breach Notification to Covered Entity
When a business associate notifies a covered entity of a breach, the notification must include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. In addition, the business associate must provide the covered entity with any other available information that the covered entity is required to include in its own breach notification letters to affected individuals. This "any other available information must be provided either (a) at the time the business associate informs the covered entity of the breach; or (b) promptly thereafter as information becomes available.
Notification Obligations of Business Associate Subcontractors
The breach notification rule requires that business associate subcontractors, following the discovery of a breach of unsecured PHI, notify their business associates of the breach. This notice must be provided to the business associate without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article