The interim final rule requires:
- Notice to patients alerting them to breaches “without unreasonable delay,” but no later than 60 days after discovery of the breach
- Notice to covered entities (CE) by business associates (BA) when BAs discover a breach
- Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
- Notice to next of kin about breaches involving patients who are deceased
- Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE’s response
- Annual notice to the secretary of HHS 60 days after the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.