HIPAA Breach Notification Rule (45 CFR Part 164 Subpart D)

The HIPAA Breach Notification Rule mandates that covered entities and business associates promptly disclose any unsecured protected health information to affected individuals, the Secretary of Health and Human Services, and, when a breach affects 500 or more individuals, the media. Notifications must be sent without unreasonable delay, no later than 60 days after discovery, and must include a description of the breach, the types of information involved, steps taken to mitigate harm, and contact information for further inquiries.