Overview:
§164.408
Notification to the Secretary.
(a) A covered entity shall, following the discovery of a breach of unsecured protected health information as provided in § 164.404(a)(2), notify the Secretary.
(b) For breaches of unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in § 164.412, provide the notification required by paragraph (a) of this section contemporaneously with the notice required by § 164.404(a) and in the manner specified on the HHS Web site.
(c) For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS Web site.
Action Items:
1) Obtain and review a list of breaches, if any, in the previous calendar year involving 500 or more individuals, and the related notifications made to the Secretary and copies of a single written notice sent to affected individuals . Obtain and review documentation (to include but not be limited to documentation of discovery of the breach) that validates the related notifications provided to the Secretary in the previous calendar year. Determine whether contemporaneous notifications were provided to the Secretary consistent with the requirement in §164.408.
2) Obtain and review a list of breaches, if any, in the specified period involving fewer than 500 individuals. Obtain and review documentation of the related notifications provided to the Secretary and a single written notice provided to affected individuals. Evaluate whether the notifications were provided to the Secretary within 60 calendar days of the end of the calendar year in which the breach was discovered, consistent with the requirement in §164.408. Verify that the notices include the elements required by §164.408.
Related Documents:
1) List of breaches, if any, in the previous calendar year involving 500 or more individuals, and the related notifications made to the Secretary and copies of a single written notice sent to affected individuals
2) Documentation (to include but not be limited to documentation of discovery of the breach) that validates the related notifications provided to the Secretary in the previous calendar year.
3) List of breaches, if any, in the specified period involving fewer than 500 individuals.
4) Documentation of the related notifications provided to the Secretary and a single written notice provided to affected individuals.
Additional Guidance:
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.
Article ID: 594
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-privacy-notification-to-the-secretary-164-408-594.html