The organization must establish, implement, and maintain comprehensive written policies and procedures to ensure full compliance with the HIPAA Breach Notification Rule. These policies and procedures must detail the steps for identifying, assessing, and responding to potential breaches of unsecured protected health information (PHI), including the timelines and methods for notifying affected individuals, the Secretary of Health and Human Services (HHS), and, where applicable, prominent media outlets.
These procedures must also address:
- Notifying affected individuals without unreasonable delay after a breach of their unsecured protected health information is discovered or reasonably should have been discovered.
- Immediate notification within 60 days of discovery to HHS and prominent media outlets for breaches affecting 500 or more individuals, and annual reporting to HHS for breaches affecting fewer than 500 individuals.
- Required notification content and delivery methods.
- Steps to identify and validate affected individuals and the explicit 500-person threshold for large-breach media involvement.
Furthermore, the organization must create and maintain thorough documentation for a minimum of six years, evidencing its adherence to these policies and procedures. This documentation must include, but is not limited to:
- The established breach notification policies and procedures.
- Records of workforce training sessions conducted on these policies and procedures.
- Documentation of any security incidents evaluated for breach potential.
- If a breach is determined to have occurred, copies of all notifications sent to individuals, HHS, and media (if applicable), including the content of the notifications, the dates they were sent, and the methods of delivery.
- Evidence demonstrating that all required notifications were provided in a timely manner (or that any approved delay was documented), or when no breach was found, the complete risk assessment and rationale supporting that conclusion.
