US Health Department Outlines Breach Notification Guidelines

samsam ransomware healthcare

The US Department of Health & Human Services (HHS) has clarified its requirements for entities and businesses to provide notification following a breach of unsecured health information.

In a statement, the HHS has mandated that businesses covered under the HIPAA (Health Insurance Portability and Accountability Act) are required to disclose any breach involving unsecured protected health information. A breach, the HHS defined, is seen as ‘an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information.’

HIPAA-covered businesses can see three exceptions to the definition, the HSS said.

They are:

  1. The exception of unintentional acquisition of health information by an employee or person acting under the authority of a covered entity or business associate if the acquisition of data was made in good faith.
  2. The second exception sees the inadvertent disclosure of protected health information by a person authorized to access health information at a coveted entity or business associate.
  3. The final exception sees a covered or entity or business entity have a good faith belief that the unauthorized person to whom the disclosure was made would not have been able to retain the information.

More pointedly, entities are also required to specifically notify affected individuals following a breach.

“Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically,” the HHS said. “If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside.”

Further, a covered entity must also have a toll-free number that remains active for 90 days, minimally, for individuals to learn if their information was accessed during the breach.

Additionally, companies that see a breach of more than 500 residents in a state or jurisdiction are also required to provide notice to major media outlets in the form of a press release.

The HHS said:

“Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.”

Further, the HHS has also provided guidance for companies to submit breach notifications to the Secretary of breaches through a web form available here.

Image credit: