HIPAA violation notification requirements are the legally required notices and deadlines that apply after a breach of unsecured protected health information under the HIPAA Breach Notification Rule, including notice to affected individuals, notice to the Department of Health and Human Services, notice to the media for large breaches, and upstream notice from business associates to covered entities.
A covered entity must notify each affected individual without unreasonable delay and no later than 60 calendar days after discovery of a breach. Written notice is sent by first class mail to the individual, or to the individual’s next of kin or personal representative when the individual is deceased, and email notice may be used if the individual has agreed to electronic notice. If there is insufficient or out of date contact information for 10 or more individuals, substitute notice is required through a conspicuous posting on the organization’s website for a specified period or through major print or broadcast media in the relevant area, and a toll-free number must be available for inquiries. If there is insufficient or out of date contact information for fewer than 10 individuals, substitute notice may be provided by an alternative written or other means.
The Department of Health and Human Services reporting deadline depends on the number of individuals affected. For a breach involving 500 or more individuals, notice to the Department of Health and Human Services is submitted without unreasonable delay and no later than 60 calendar days after discovery. For a breach involving fewer than 500 individuals, the covered entity maintains a log and submits notice to the Department of Health and Human Services no later than 60 calendar days after the end of the calendar year in which the breaches were discovered. For a breach involving 500 or more residents of a state or jurisdiction, notice to prominent media outlets serving that area is provided without unreasonable delay and no later than 60 calendar days after discovery.
Business associates must notify the covered entity of a breach of unsecured protected health information without unreasonable delay and no later than 60 calendar days after discovery, and the notification must include information the covered entity needs to complete individual, regulator, and media notices when applicable. Individual notices must contain a description of what happened and the date of the breach and discovery when known, the types of unsecured protected health information involved, steps individuals should take to protect themselves, a description of actions the organization is taking to investigate, mitigate harm, and prevent recurrence, and contact procedures for questions. When law enforcement states that notification would impede a criminal investigation or cause damage to national security, notification may be delayed for the time period specified by law enforcement.