45 CFR 164.410 - Notification by a business associate.

Status message

There is 1 rule appearing in the Federal Register for 45 CFR 164. View below or at eCFR (GPOAccess)
§ 164.410 Notification by a business associate.
(a) Standard.
(1) A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach.
(2) Breaches treated as discovered. For purposes of paragraph (1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the federal common law of agency).
(b) Implementation specifications: Timeliness of notification. Except as provided in § 164.412, a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
(c) Implementation specifications: Content of notification.
(1) The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach.
(2) A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under § 164.404(c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available.

Title 45 published on 2013-10-01

The following are only the Rules published in the Federal Register after the published date of Title 45.

For a complete list of all Rules, Proposed Rules, and Notices view the Rulemaking tab.

  • 2014-02-06; vol. 79 # 25 - Thursday, February 6, 2014
    1. 79 FR 7290 - CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Centers for Medicare & Medicaid Services, Office of the Secretary
      Final rule.
      Effective Date: These regulations are effective on April 7, 2014. HIPAA covered entities must comply with the applicable requirements of this final rule by October 6, 2014.
      42 CFR Part 493

Title 45 published on 2013-10-01

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 45 CFR 164 after this date.

  • 2014-02-06; vol. 79 # 25 - Thursday, February 6, 2014
    1. 79 FR 7290 - CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Centers for Medicare & Medicaid Services, Office of the Secretary
      Final rule.
      Effective Date: These regulations are effective on April 7, 2014. HIPAA covered entities must comply with the applicable requirements of this final rule by October 6, 2014.
      42 CFR Part 493