HIPAA Breach Notification Rule

Covered entities must notify affected individuals, the Secretary of HHS, and in some cases the media following the discovery of a breach of unsecured protected health information. Individual notification must be provided without unreasonable delay and no later than 60 days after discovery of the breach.

Breaches affecting 500 or more individuals must be reported to the Secretary and prominent media outlets in the affected state or jurisdiction. Breaches affecting fewer than 500 individuals may be reported annually. Business associates must notify covered entities of breaches.