Under the HITECH Breach Notification Rule, covered entities must notify certain parties following a breach of unsecured protected health information (“PHI”). First, covered entities must notify affected individuals following the discovery of a breach. If the breach affects more than 500 residents of a State or jurisdiction, covered entities are also required to provide notice to prominent media outlets.
Additionally, covered entities must provide notice of breaches to the Secretary of the U.S. Department of Health and Human Services (“HHS”). The timing of the notification obligation to the HHS Secretary depends on the number of affected individuals for a particular breach. If a breach involves 500 or more individuals, the Secretary must be notified “contemporaneously” with the notice to affected individuals. 45 CFR § 164.408(b). If a breach involves less than 500 individuals, a covered entity is required to maintain a log or other documentation of the breach and provide notice to the Secretary “not later than 60 days after the end of each calendar year.” 45 CFR § 164.408(c).
By March 1, 2011, covered entities must notify the Secretary of all breaches that occurred during 2010. The notification must be submitted electronically by using the following form: http://transparency.cit.nih.gov/breach/index.cfm. A separate form must be completed for each breach that occurred during the preceding calendar year.
© 2011 Parsonage Vandenack Williams LLC
For more information, contact firstname.lastname@example.org