Jump to content

Claims Admin Caused Breach that affected multiple Covered Entities and over 500 individuals in totality, client is one Covered Entity but the breach only affects 20 emplyoees. Does my client need to send out a public notice for the 500+ individual breach?


Recommended Posts

Claims Admin Caused Breach that affected multiple Covered Entities, including over 500 individuals in totality.

client is one Covered Entity but the breach only affects 20 of its employees.

Does my client need to send out a public notice for the 500+ individual breach? I.e. is the 500 individual notification requirement aggregate all individual affected, even if they are from separate covered entities? 

Link to comment
Share on other sites

@ERISAQuestions1234 The preamble to the final regs addresses that point.  You look only to the number of affected individuals associated with each particular covered entity when determining whether the breach involves 500 or more residents of a state of jurisdiction.

https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the

The Department also recognized that in some cases a breach may occur at a business associate and involve the protected health information of multiple covered entities. In such cases, a covered entity involved would only be required to provide notification to the media if the information breached included the protected health information of more than 500 individuals located in any one State or jurisdiction. For example, if a business associate discovers a breach affecting 800 individuals in a State, the business associate must notify the appropriate covered entity (or covered entities) subject to § 164.410 (discussed below). If 450 of the affected individuals are patients of one covered entity and the remaining 350 are patients of another covered entity, because the breach has not affected more than 500 individuals at either covered entity, there is no obligation to provide notification to the media under this section.

More details generally on the covered entity's notice obligations here: https://www.theabdteam.com/blog/hipaa-breach-notifications-for-employers/

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...