45 CFR 164.404 - Notification to individuals.

Status message

There is 1 rule appearing in the Federal Register for 45 CFR 164. View below or at eCFR (GPOAccess)
§ 164.404 Notification to individuals.
(a) Standard—
(1) General rule. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.
(2) Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, §§ 164.406(a), and 164.408(a), a breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency).
(b) Implementation specification: Timeliness of notification. Except as provided in § 164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
(c) Implementation specifications: Content of notification—
(1) Elements. The notification required by paragraph (a) of this section shall include, to the extent possible:
(A) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
(B) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(C) Any steps individuals should take to protect themselves from potential harm resulting from the breach;
(D) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
(E) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
(2) Plain language requirement. The notification required by paragraph (a) of this section shall be written in plain language.
(d) Implementation specifications: Methods of individual notification. The notification required by paragraph (a) of this section shall be provided in the following form:
(1) Written notice.
(i) Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available.
(ii) If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual (as specified under § 164.502(g)(4) of subpart E), written notification by first-class mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available.
(2) Substitute notice. In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual under paragraph (d)(1)(i) of this section, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of the individual under paragraph (d)(1)(ii).
(i) In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means.
(ii) In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall:
(A) Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and
(B) Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach.
(3) Additional notice in urgent situations. In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (d)(1) of this section.

Title 45 published on 2013-10-01

The following are only the Rules published in the Federal Register after the published date of Title 45.

For a complete list of all Rules, Proposed Rules, and Notices view the Rulemaking tab.

  • 2014-02-06; vol. 79 # 25 - Thursday, February 6, 2014
    1. 79 FR 7290 - CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Centers for Medicare & Medicaid Services, Office of the Secretary
      Final rule.
      Effective Date: These regulations are effective on April 7, 2014. HIPAA covered entities must comply with the applicable requirements of this final rule by October 6, 2014.
      42 CFR Part 493

This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.

This list is taken from the Parallel Table of Authorities and Rules provided by GPO [Government Printing Office].

It is not guaranteed to be accurate or up-to-date, though we do refresh the database weekly. More limitations on accuracy are described at the GPO site.


United States Code

Title 45 published on 2013-10-01

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 45 CFR 164 after this date.

  • 2014-02-06; vol. 79 # 25 - Thursday, February 6, 2014
    1. 79 FR 7290 - CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Centers for Medicare & Medicaid Services, Office of the Secretary
      Final rule.
      Effective Date: These regulations are effective on April 7, 2014. HIPAA covered entities must comply with the applicable requirements of this final rule by October 6, 2014.
      42 CFR Part 493