HIPAA Breach Notice
(Media)
Summary
This HIPAA breach notice is for use by a group health plan subject to HIPAA to notify prominent media outlets about the plan's unauthorized use or disclosure of protected health information (PHI) of 500 or more individuals living in the region served by the media outlet. This template includes practical guidance, drafting notes, and alternate and optional clauses. The Health Insurance Portability and Accountability Act (HIPAA) established breach notification rules for covered entities and their business associates obligating them to timely report missing participant PHI even if there is no indication that the information was improperly accessed. 45 C.F.R. §§ 164.400 to 164.414. For a breach involving 500 or more residents of a particular state or jurisdiction, the covered entity must notify prominent media outlets serving the area of the breach in addition to notifying affected individuals individually and the Department of Health and Human Services (HHS). Media reporting, like reporting to affected individuals and HHS, must occur without unreasonable delay and in no case later than 60 days of the breach discovery. Content requirements for the media notice are the same as those for notices to affected individuals. 45 C.F.R. §§ 164.404(c), 164.406. For a full listing of key content covering HIPAA considerations, see HIPAA Resource Kit. For a full listing of related data breach notification content, see Data Breach Notification Resource Kit. For more information about the HIPAA breach notification rule, including a list of steps in determining whether the HIPAA breach notification rules are triggered, see HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules — What Does the HIPAA Privacy Rule Require? and the following agency resources: HHS, Breach Notification Rule; HHS, October 2022 OCR Cybersecurity Newsletter: HIPAA Security Rule Security Incident Procedures; HHS, Factsheet: Ransomware and HIPAA; and HHS, My Entity Experienced a Cyber-Attack: What Do We Do Now? . For a letter to notify affected individuals of a breach, see HIPAA Breach Notice (Individual).