45 CFR 164.408 - Notification to the Secretary.

§ 164.408 Notification to the Secretary.

(a)Standard. A covered entity shall, following the discovery of a breach of unsecured protected health information as provided in § 164.404(a)(2), notify the Secretary.

(b)Implementation specifications: Breaches involving 500 or more individuals. For breaches of unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in § 164.412, provide the notification required by paragraph (a) of this section contemporaneously with the notice required by § 164.404(a) and in the manner specified on the HHS Web site.

(c)Implementation specifications: Breaches involving less than 500 individuals. For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site.

[ 74 FR 42767, Aug. 24, 2009, as amended at 78 FR 5695, Jan. 25, 2013]

Title 45 published on 2015-11-20

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 45 CFR Part 164 after this date.

  • 2016-01-06; vol. 81 # 3 - Wednesday, January 6, 2016
    1. 81 FR 382 - Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS)
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary
      Final rule.
      Effective date: This final rule is effective on February 5, 2016.
      45 CFR Part 164