Physician Practice

Q&A: You’ve got questions! We’ve got answers!

Physician Practice Insider, August 9, 2016

Submit your questions to Associate Editor Nicole Votta at and we will work with our experts to provide you with the information you need.

When should patients be notified of a privacy breach? Is there a legally defined patient notification deadline a covered entity (CE) is required to meet?

A: The Breach Notification Rule requires CEs to notify affected individuals, HHS, and, in some cases, the media of a breach of unsecured protected health information. Most notifications must be provided no later than 60 days following the discovery of a breach. Breaches involving fewer than 500 individuals may be reported to HHS in a log or other documentation annually.

Editor’s note: This question was answered by Mary D. Brandt, MBA, RHIA, CHE, CHPS, for Briefings on HIPAA. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Email your questions to Associate Editor Nicole Votta at

Most Popular