§164.400-414 critical Severity HIPAA US Federal

HIPAA Breach Notification Rule — General Rule

Enforced by: HHS OCR (US)
Current as of March 26, 2013
Plain Language Summary
After discovering a PHI breach: notify affected individuals within 60 days, notify HHS, and if 500+ in one state are affected, notify major media in that state.

A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of such breach no later than 60 calendar days after discovery. The covered entity must also notify the Secretary and, if the breach involves more than 500 individuals in a state, prominent media outlets serving that state.

Related Enforcement Cases

Advocate Aurora Health — Tracking Pixel HIPAA Settlement ($3M) $3.0M
Banner Health — Network Segmentation Failure HIPAA Settlement ($1.25M) $1.25M