April 10, 2018 by

US Health Department Outlines Breach Notification Guidelines

The US Department of Health & Human Services (HHS) has clarified its requirements for entities and businesses to provide notification following a breach of unsecured health information.

In a statement, the HHS has mandated that businesses covered under the HIPAA (Health Insurance Portability and Accountability Act) are required to disclose any breach involving unsecured protected health information. A breach, the HHS defined, is seen as ‘an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information.’

HIPAA-covered businesses can see three exceptions to the definition, the HSS said.

They are:

  1. The exception of unintentional acquisition of health information by an employee or person acting under the authority of a covered entity or business associate if the acquisition of data was made in good faith.
  2. The second exception sees the inadvertent disclosure of protected health information by a person authorized to access health information at a coveted entity or business associate.
  3. The final exception sees a covered or entity or business entity have a good faith belief that the unauthorized person to whom the disclosure was made would not have been able to retain the information.

More pointedly, entities are also required to specifically notify affected individuals following a breach.

“Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically,” the HHS said. “If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside.”

Further, a covered entity must also have a toll-free number that remains active for 90 days, minimally, for individuals to learn if their information was accessed during the breach.

Additionally, companies that see a breach of more than 500 residents in a state or jurisdiction are also required to provide notice to major media outlets in the form of a press release.

The HHS said:

“Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.”

Further, the HHS has also provided guidance for companies to submit breach notifications to the Secretary of breaches through a web form available here.

Image credit:

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Delta Airlines Admits to Data Breach of ‘Several Hundred Thousand' Customers

Major airline operator Delta has said that a cyberattack targeting a third-party contractor has...

Read more arrow_forward

Panera Bread Breach Could Affect Over 37 Million Customer Records

Popular bakery chain Panera Bread has been leaking millions of customer records in the for at least...

Read more arrow_forward

Hackers Steal 5 Million Payment Cards in Saks, Lord & Taylor Data Breach

The ongoing wave of large-scale retail data breaches isn’t about to come to an end any time soon...

Read more arrow_forward