Aptible logo
Sign up for free
HIPAA Compliance Guide

§ 164.406 Notification to the media

HIPAA Compliance Guide

(a) Standard. For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery of the breach as provided in § 164.404(a)(2), notify prominent media outlets serving the State or jurisdiction.

(b) Implementation specification: Timeliness of notification. Except as provided in § 164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.

(c) Implementation specifications: Content of notification. The notification required by paragraph (a) of this section shall meet the requirements of § 164.404(c).

[74 FR 42740, Aug. 24, 2009, as amended at 78 FR 5695, Jan. 25, 2013]