Health Information Management

HIPAA and the HITECH Act: Get your breach notification ready

HIM-HIPAA Insider, April 6, 2009

Covered entities providing notification must adhere to the following guidelines under the Health Information Technology for Clinical and Economic Health:

  • Notices to those directly affected by the breach usually must be sent by first-class mail; an organization may use e-mail if the patient prefers that method of communication, or telephone in an emergency.
  • The notices must contain the following elements: 
    • An account of what happened and how the organization discovered it, including dates 
    • A description of the affected PHI 
    • Guidance on how individuals can protect themselves from problems stemming from the breach 
    • A brief description of how the organization is handling the breach to minimize harm and the potential for further breaches 
    • Instructions for how individuals can ask questions or receive additional information (including a toll-free number, e-mail address, Web site, etc.) *If a breach involves more than 500 people in one state, the organization must send a notice to local media outlets in the state.

Editor’s note: This is an excerpt from a story in the April edition of the HCPro, Inc. newsletter, Briefings on HIPAA.

Most Popular