Written Notification Under The HITECH Act

In the event that a breach requiring notification under the HITECH Act occurs the covered entity or business associate must provide notification to the individuals affected by the breach. The outline below sets forth the requirements on such notices.
A. Timing of Notification:
i. Notification must be provided without unreasonable delay
ii. No later than 60 days after discovery of the breach
iii. A breach is discovered when it is first known to the covered entity or business associate
iv. “Known” means to the knowledge of an employee, officer or agent, other than the person committing the breach
v. Since the business associate must inform the covered entity of its breach, the clock does not start for the covered entity until it is informed by the business associate
vi. Notice may be delayed if a law enforcement official determines that it will adversely affect a criminal investigation or national security
B. Method of Notification
i. Notice must be provided in writing
ii. Notice must be sent by first class mail to the last known address or the next of kin
1) Electronic mail may be used if the individual expressed a preference
iii. If the contact information is out of date then a substitute method is required
1) If 10 or more individuals require this alternative method then the notice must conspicuous and for a length of time set by the Secretary of HHS
I. Alternative methods can be
a. On the home page of the website of the covered entity or business associate, or
b. In prominent media outlets (print or broadcast), including media outlets where affected individuals reside
c. These alternative methods must include a toll free number
iv. In addition to the above methods, a telephone call to affected individuals is permitted if there is high risk of “possible imminent misuse of unsecured” PHI
v. If a breach involves 500 or more residents of a defined geographic area, in addition to the above methods
1) Prominent media outlets shall be used to provide notification
2) HHS must also be notified immediately if unsecured PHI of 500 or more individuals is acquired or disclosed
I. Otherwise only a log has to be maintained which is submitted to HHS annually
II. HHS will publicly identify each reporting covered entity on its website and report them to Congress annually
C. Content of Notification
i. Regardless of the form all notifications must set forth:
1) Description of the breach and timing
2) Nature of the unsecured PHI subject to the breach
3) What affected individuals can do to protect themselves
4) Description of the efforts to investigate the breach, mitigate the harm and limit future breaches
5) How affected individuals may contact the covered entity or business associate to get assistance and access more information