HIPAA Privacy -Timeliness of Notification 164.404(b)

Overview:
§164.404(b)
Timeliness of Notifications.
Except as provided in §164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.

Action Items:
1) Obtain and review the policies and procedures for notifying individuals of breaches and determine whether such policies and procedures are consistent with §164.404(b); providing notification without unreasonable delay and in no case later than within 60 days of discovery of a breach.
2) Obtain and review documentation related to breaches, if any, in the specified period, to include evidence of the date individuals were notified, the date the covered entity discovered the breach, and the reason, if any, for delay in notification. Assess whether the notifications were completed in accordance with these requirements and the entity's policies and procedures.

Related Documents:
1) Policies and procedures for notifying individuals of breaches
2) Documentation related to breaches, if any, in the specified period, to include evidence of the date individuals were notified, the date the covered entity discovered the breach, and the reason, if any, for delay in notification.

Additional Guidance:
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).