View all text of Part A [§ 17931 - § 17941]
§ 17932. Notification in the case of breach
(a) In general
(b) Notification of covered entity by business associate
(c) Breaches treated as discovered
(d) Timeliness of notification
(1) In general
(2) Burden of proof
(e) Methods of notice
(1) Individual notice
Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form:
(A) Written notification by first-class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.
(B) In the case in which there is insufficient, or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written (or, if specified by the individual under subparagraph (A), electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting for a period determined by the Secretary on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll-free phone number where an individual can learn whether or not the individual’s unsecured protected health information is possibly included in the breach.
(C) In any case deemed by the covered entity involved to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity, in addition to notice provided under subparagraph (A), may provide information to individuals by telephone or other means, as appropriate.
(2) Media notice
(3) Notice to Secretary
(4) Posting on HHS public website
(f) Content of notification
Regardless of the method by which notice is provided to individuals under this section, notice of a breach shall include, to the extent possible, the following:
(1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
(2) A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
(3) The steps individuals should take to protect themselves from potential harm resulting from the breach.
(4) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
(5) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
(g) Delay of notification authorized for law enforcement purposes
(h) Unsecured protected health information
(1) Definition
(A) In general
(B) Exception in case timely guidance not issued
(2) Guidance
(i) Report to Congress on breaches
(1) In general
(2) Information
The information described in this paragraph regarding breaches specified in paragraph (1) shall include—
(A) the number and nature of such breaches; and
(B) actions taken in response to such breaches.
(j) Regulations; effective date
(Pub. L. 111–5, div. A, title XIII, § 13402, Feb. 17, 2009, 123 Stat. 260.)