HIPAA Breach Notification Rule
Plain English Summary
Requires healthcare organizations to notify patients and HHS when their health information is improperly accessed or disclosed.
Full Text
Covered entities must notify affected individuals, the Secretary of HHS, and in some cases the media following the discovery of a breach of unsecured protected health information. Individual notification must be provided without unreasonable delay and no later than 60 days after discovery of the breach.
Breaches affecting 500 or more individuals must be reported to the Secretary and prominent media outlets in the affected state or jurisdiction. Breaches affecting fewer than 500 individuals may be reported annually. Business associates must notify covered entities of breaches.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.