Providers must notify affected individuals following the discovery of a breach of unsecured protected health information. Providers must provide this individual notice in written form by first-class mail, or by email if the affected individual has agreed to receive such notices electronically. If the provider has insufficient or out-of-date contact information for ten or more individuals, the provider must provide substitute individual notice by either posting the notice on the home page of its website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The provider must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the provider has insufficient or out-of-date contact information for fewer than ten individuals, the provider may provide substitute notice by an alternative form of written notice, by telephone, or other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the provider is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the provider (or business associate, as applicable).
Concerning a breach at or by a business associate, while the provider is ultimately responsible for ensuring individuals are notified, the provider may delegate the responsibility of providing individual notices to the business associate. Providers and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the provider and which entity has the relationship with the individual.