Health Information Management

Breach notification requirements

HIM-HIPAA Insider, December 15, 2009

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q: If a breach of PHI occurs and the business associate (BA) or covered entity does not have current contact information for 10 or more individuals affected, substitute notification is required. What does the interim final rule on breach notification require with respect to substitute notification?
 
A: Pursuant to the substitute notification requirements, a covered entity must prominently post a notice including information about the breach on the home page of its Web site for no less than 90 days. The notice must include a toll-free number that is active for no less than 90 days. Alternatively, covered entities may provide notification about the breach, including the toll-free number, through major media outlets in the area where individuals affected by the breach likely reside.
 
Editor’s note: Chris Apgar, CISSP of Apgar & Associates, LLC, in Portland, OR, answered the previous question in the December issue of Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular