Overview:
§164.406(a)
Notification to the Media.
For a breach of unsecured PHI involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery of the breach as provided in §164.404(a)(2), notify prominent media outlets serving the State or jurisdiction.
(b)Except as provided in §164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
(c) The content of the notification required by paragraph (a) of this section shall meet the requirements of §164.404(c).
Action Items:
1) Does the covered entity have and follow policies and procedures for notifying media outlets of breaches affecting more than 500 residents of a State or jurisdiction? Obtain and review policies and procedures. Evaluate whether the specifications at §164.406 are met.
2) Obtain and review a list of breaches, if any, in the specified period affecting more than 500 residents of a State or jurisdiction. Obtain and review documentation to verify that the media notifications included the elements required by §164.406 and are made consistent with the entity's policies and procedures.
Related Documents:
1) Policies and procedures for notifying media outlets of breaches affecting more than 500 residents of a State or jurisdiction
2) List of breaches, if any, in the specified period affecting more than 500 residents of a State or jurisdiction
3) Documentation to verify that the media notifications included the elements required by §164.406 and are made consistent with the entity's policies and procedures.
Additional Guidance:
Overed entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
Article ID: 593
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-privacy-notification-to-the-media-164-406-593.html