Who must be notified under HIPAA when bad things happen?

So you know HIPAA regulates Protected Health Information, but in the event of a breach, which of your disaster recovery plans include the steps to take in order to meet legal notification requirements? HIPAA identifies who must be notified in the event of a breach. Here is a quick list of the three groups who must be notified within 60 days maximum if a breach occurs.

It would be very easy to get lost in the weeds of notification, but we can safely narrow it down to the three categories of those who must be notified if a breach occurs: individuals, the US Department of Health and Human Services (HHS), and the media. [Note: State laws may layer additional notification requirements; however, we are only addressing HIPAA in this post]

Covered Entities are required to notify individuals of a breach of their PHI/ePHI. HHS specifies the method of contact, usually first class mail, no longer than 60 days after the discovery of the breach. They also specify when notification needs to appear on the Covered Entity’s website.

Please download our e-guide, “HIPAA basics: your breach notification obligations”, to learn more.

HHS notification

The overall guidelines are that HHS must be notified no later than 60 days after discovery of the breach if greater than 500 individual PHI/ePHIs have been affected. If less than 500 are affected in a single event, HHS generally allows for an annual notification process. In all cases, notifications should occur as soon as possible without unreasonable delay.

Media

Media must be notified if greater than 500 have been affected in a single state or jurisdiction. Generally a press release would be the standard method for notification.

Please download our e-guide, “HIPAA basics: your breach notification obligations”, to learn more.