HIPAA Regulations: Notification in the Case of Breach -- Methods of Individual Notification - § 164.404(d)
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information
HHS Regulations |
(d) Implementation specifications: Methods of individual notification. The notification required by paragraph (a) of this section shall be provided in the following form:
(1) Written notice. (i) Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available.
(ii) If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual (as specified under §164.502(g)(4) of subpart E), written notification by first-class mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available.
(2) Substitute notice. In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual under paragraph (d)(1)(i) of this section, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of the individual under paragraph (d)(1)(ii).
(i) In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means.
(ii) In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall:
(A) Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and
(B) Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach.
(3) Additional notice in urgent situations. In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (d)(1) of this section.
HHS Discussion and Commentary From the January 2013 Amendments Notification in the Case of Breach: Methods of Individual Notification - § 164.404(d) |
Methods of Notification
Section 13402(e)(1) of the HITECH Act provides for both actual written notice to affected individuals, as well as substitute notice to affected individuals if contact information is insufficient or out-of-date. Specifically, the statute requires breach notifications to be sent by first-class mail at the last known address of the individual or next of kin if the individual is deceased, or by electronic mail if specified as the preferred method by the individual. The Act also provides that the notification may be provided in one or more mailings as the information becomes available. Where there is insufficient or out-of-date contact information that precludes direct written notice to the individual, the statute requires that a substitute form of notice be provided to the individual. If there is insufficient contact information for 10 or more individuals, the Act requires that the substitute notice be a conspicuous posting on the home page of the covered entity’s Web site or notice in major print or broadcast media in the geographic areas where the affected individuals likely reside, and in either case, that a toll-free number be included where individuals can learn whether their information was possibly included in the breach.
Finally, the Act provides that a covered entity may provide notice by telephone or other means to individuals, in addition to direct written notice by first-class mail or e-mail, in urgent situations involving possible imminent misuse of the individual’s information.
Section 164.404(d) of the interim final rule set forth these methods for providing breach notification to affected individuals. Section 164.404(d)(1)(i) of the interim final rule required a covered entity to provide breach notice to an affected individual in written form by first-class mail at the individual’s last known address. The interim final rule also permitted covered entities to provide this written notice in the form of electronic mail if the individual has agreed to receive electronic notice and that agreement has not been withdrawn. The Department clarified that, consistent with § 164.502(g) of the Privacy Rule, where the individual affected by a breach is a minor or otherwise lacks legal capacity due to a physical or mental condition, notice to the parent or other person who is the personal representative of the individual would satisfy the requirements of § 164.404(d)(1).
Additionally, with respect to deceased individuals, the interim final rule at § 164.404(d)(1)(ii) provided that notice of a breach be sent to either the individual’s next of kin or personal representative, as such term is used for purposes of the Privacy Rule, recognizing that in some cases, a covered entity may have contact information for a personal representative of a deceased individual rather than the next of kin. To address administrative and privacy concerns with a covered entity being required to obtain contact information for the next of kin of a deceased patient in cases where the individual did not otherwise provide the information while alive, the interim final rule also clarified that a covered entity is only required to provide notice to the next of kin or personal representative if the covered entity both knows the individual is deceased and has the address of the next of kin or personal representative of the decedent.
If a covered entity does not have sufficient contact information for some or all of the affected individuals, or if some notices are returned as undeliverable, the interim final rule required a covered entity to provide substitute notice for the unreachable individuals in accordance with § 164.404(d)(2). The interim final rule required that substitute notice be provided as soon as reasonably possible after the covered entity is aware that it has insufficient or out-of-date contact information for one or more affected individuals and that the notice contain all the elements that § 164.404(c) requires be included in the direct written notice to individuals. With respect to decedents, however, the interim final rule provided that a covered entity is not required to provide substitute notice for the next of kin or personal representative in cases where the covered entity either does not have contact information or has out-of-date contact information for the next of kin or personal representative.
Section 164.404(d)(2) of the interim final rule required that, whatever method used, the substitute form of notice be reasonably calculated to reach the individuals for whom it is being provided. If there are fewer than 10 individuals for whom the covered entity has insufficient or out-of-date contact information to provide the written notice, § 164.404(d)(2)(i) of the interim final rule permitted the covered entity to provide substitute notice to such individuals through an alternative form of written notice, by telephone, or other means. For example, if a covered entity learned that the home address it has for one of its patients was out-of-date, but it had the patient’s e-mail address or telephone number, it could provide substitute notice by e-mail (even if the patient had not agreed to electronic notice) or by phone. Alternatively, posting a notice on the web site of the covered entity or at another location may be appropriate if the covered entity lacks any current contact information for the patients, so long as the posting is done in a manner that is reasonably calculated to reach the individuals.
If a covered entity has insufficient or out-of-date contact information for 10 or more individuals, then § 164.404(d)(2)(ii) of the interim final rule required the covered entity to provide substitute notice through either a conspicuous posting for a period of 90 days on the home page of its web site or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. For either method involving 10 or more individuals, the covered entity was also required to have a toll-free phone number, active for 90 days, where an individual can learn whether the individual’s unsecured protected health information may be included in the breach and to include the number in the notice.
If a covered entity chooses to provide substitute notice on its web site, the covered entity may provide all the information described at § 164.404(c) directly on its home page (“home page” includes the home page for visitors to the covered entity’s web site and the landing page or login page for existing account holders) or may provide a prominent hyperlink on its home page to the notice containing such information.
If the covered entity does not have or does not wish to use a web site for the substitute notice, the interim final rule required the covered entity to provide substitute notice of the breach in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. What is considered major print or broadcast media for a metropolitan area may be very different from what is considered major print or broadcast media in a rural area, such that the use of local, city, or statewide media may be appropriate depending on the circumstances. Further, multiple media outlets may need to be utilized to reasonably reach individuals in different regions or States. In any event, substitute media notice, as with substitute web notice, must be conspicuous and thus, covered entities should consider the location and duration of the notice to ensure the notice is reasonably calculated to reach the affected individuals.
Finally, we clarified that covered entities with out-of-date or insufficient contact information for some individuals can attempt to update the contact information so that they can provide direct written notification, in order to limit the number of individuals for whom substitute notice is required and, thus, potentially avoid the obligation to provide substitute notice through a web site or major print or broadcast media under §164.404(d)(2)(ii).
In accordance with the statute, § 164.404(d)(3) makes clear that notice to the individual by telephone or other means may be provided, in addition to the direct written notice required by § 164.404(d)(1), in cases deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information.
Overview of Public Comments
Several commenters questioned which entity has the responsibility for providing notifications to individuals when a breach occurs at or by a business associate and whether a covered entity could delegate its breach notification obligations to a business associate. Some commenters asked about the notification obligations in cases where a covered entity’s business associate that experiences a breach is also a covered entity itself. Others requested clarification regarding the obligations for providing breach notification where multiple covered entities and business associates are involved in health information exchange and it may be unclear where a breach occurred and/or which entity has responsibility for the breach.
Additionally, many commenters suggested that covered entities be permitted to provide notification to individuals via telephone or orally instead of via written communication, or at a work address instead of a home address, if the individual has specified one of these alternative methods or locations as preferred for receiving breach notification. Commenters raised potential privacy concerns with communicating with individuals via mail to their home, particularly where the individual has received highly confidential medical services, such as substance abuse or mental health services, and others who may have access to the mail may not otherwise be aware of such condition or treatment. Some commenters argued that because the Privacy Rule requires covered entities to accommodate reasonable requests by individuals to receive communications by alternative means or at alternative locations, the same standard should apply to the provision of breach notification.
Finally, several commenters expressed concern over the substitute notice required in cases in which the covered entity has insufficient or out-of-date contact information for affected individuals. Many of these commenters stated that providing notification via web posting or media publication is an inappropriate method of providing substitute notice, except in cases in which the covered entity can reasonably define the universe of affected individuals. In other cases, such notice will not give individuals who view the notice enough information to determine if they are affected by a breach, and may cause unaffected individuals unnecessary alarm. Some commenters recommended that covered entities instead be required to use reasonable efforts to identify alternative means of providing direct notice to the affected individuals, such as by phone or e-mail, or to only require substitute media or web notice when a covered entity cannot reach 10 or more individuals directly by mail, phone, or e-mail.
Other commenters argued that the substitute notice requirements, particularly the requirement to establish a toll-free number, may be cost prohibitive to smaller covered entities. It was also suggested that smaller covered entities, particularly those in rural areas, should be allowed to provide substitute notice via handouts or postings at the covered entity’s physical location even in cases where the entity has insufficient contact information for more than 10 individuals.
Final Rule
We retain § 164.404(d) in this final rule without modification. In response to questions raised with respect to a breach at or by a business associate, we note that the covered entity ultimately maintains the obligation to notify affected individuals of the breach under § 164.404, although a covered entity is free to delegate the responsibility to the business associate that suffered the breach or to another of its business associates.
This is the case even if the breach of the covered entity’s protected health information occurred at or by a business associate that is also a covered entity. For example, if a covered provider (Provider A) hires another covered provider’s practice (Provider B) as a business associate to perform his billing and other back office functions, and a breach of Provider A’s protected health information occurs at Provider B while performing these functions for Provider A, it remains Provider A’s responsibility to provide breach notification to the affected individuals, although Provider A may delegate this responsibility to Provider B as its business associate.
Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual. Similarly, when multiple covered entities participate in electronic health information exchange and there is a breach of unsecured protected health information at a Health Information Organization (HIO), the obligation to notify individuals of the breach falls to the covered entities.
We recognize that it may be difficult to determine what breached information is attributable to which covered entity’s individuals. For example, an HIO may store centralized electronic health records (EHRs) for a community, with each EHR including information generated by multiple covered entities. In such circumstances, it may be necessary for the HIO to notify all potentially affected covered entities and for those covered entities to delegate to the HIO the responsibility of sending the required notifications to the affected individuals. This would avoid the confusion of individuals receiving more than one notification about the same breach.
In response to the commenters who suggested that covered entities be permitted to accommodate reasonable requests by individuals to receive breach notifications by alternative means or at alternative locations, we provide the following guidance. The HITECH Act requires a covered entity to provide breach notification to an affected individual in written form either at the last known address of the individual or e-mail address, if the individual agrees to receive notice electronically, where the covered entity has sufficient contact information to do so. The Act and this rule do not prohibit a covered entity from sending a breach notice to an alternative address rather than a home address, such as a work address or post office box, or the individual’s e-mail address of choice, if the individual requests communications be sent to such an address. Further, a covered health care provider (and health plan, if potential endangerment is raised by the individual) is required by the Privacy Rule at § 164.522 to accommodate any such reasonable requests.
In response to those commenters who urged that we allow breach notices to be provided orally or via telephone to individuals receiving highly confidential treatment services where the individual has requested to receive communications in such a manner, we note that the HITECH Act specifically refers to “written” notice to be provided to individuals. However, we understand the privacy concerns raised. We, thus, clarify that in the limited circumstances in which an individual has agreed only to receive communications from a covered health care provider orally or by telephone, the provider is permitted under the Rule to telephone the individual to request and have the individual pick up their written breach notice from the provider directly. In cases in which the individual does not agree or wish to travel to the provider to pick up the written breach notice, the health care provider should provide all of the information in the breach notice over the phone to the individual, document that it has done so, and the Department will exercise enforcement discretion in such cases with respect to the “written notice” requirement. We stress that our enforcement discretion applies only to cases where the individual affirmatively chooses not to receive communications from a covered health care provider at any written addresses or e-mail addresses, and not to situations where providing telephonic notice is simply less burdensome or easier on a provider and the entity has a valid address, or e-mail address if applicable, on file for the affected individual.
Finally, with respect to commenters who expressed concerns with the substitute media and web notice provisions of the interim final rule, we emphasize that these are statutory requirements that have been incorporated into the Rule. Section 13402(e)(1)(B) of the HITECH Act expressly requires that a covered entity that has insufficient or out-of-date contact information for 10 or more individuals provide substitute notification to such individuals via posting on their Web site or notification in major print or broadcast media in the areas in which the affected individuals likely reside. Additionally, the statute requires such “notice in media or web posting will include a toll-free phone number where an individual can learn whether or not the individual’s unsecured protected health information is possibly included in the breach.” Thus, we retain these requirements in this final rule.
Response to Other Public Comments
Comment: One commenter expressed concern about providing breach notification to individuals by first-class mail because it could require some entities, such as those that have Web-based relationships with individuals, to collect more information about individuals (e.g., physical addresses) than they currently do.
Response: The Rule allows a covered entity to provide written breach notice to an affected individual by e-mail if the individual agrees to electronic notice and such agreement has not been withdrawn. We would expect that covered entities that have primarily or solely an online relationship with individuals would ask and encourage individuals to receive breach notices by e-mail and that generally individuals would agree. However, an individual that does not affirmatively agree to receive breach notices by e-mail, or that withdraws a prior agreement, has a right to notice by first-class mail.
Comment: One commenter suggested that we excuse a covered entity from providing notification of a breach to an individual where a licensed health care professional has determined in the exercise of professional judgment that the provision of such notice is likely to cause substantial harm to the individual. The commenter appeared to be concerned due to the nature of the services it provides – mental health services – and the distress breach notification could cause for certain of its patients.
Response: The statute does not include such an exception to the provision of breach notification, and we do not include one in this Rule. An affected individual has a right to be informed of breaches of unsecured protected health information so the individual can take steps if appropriate to protect themselves from the consequences. In situations where a health care provider believes that the provision of written breach notification to an individual may cause extreme anguish or distress, based on the individual’s mental state or other circumstances, the provider may telephone the individual prior to the time the breach notice is mailed or have them come into the provider’s office to discuss the situation. However, we note that the breach notification must still be mailed without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Where a provider is aware that an individual has a personal representative due to incapacity or other health condition, the breach notification may be sent to the personal representative.
Comment: Many commenters expressed support for allowing covered entities to provide breach notification to a deceased individual’s personal representative instead of to the next of kin. One commenter suggested that we also allow covered entities to provide breach notification to the emergency contact provided by a deceased individual prior to death as this is the information they collect from individuals and yet this person may not be the next of kin or a personal representative of the deceased individual.
Response: We do not believe it appropriate to permit covered entities to send breach notifications to a deceased individual’s emergency contact where such person is not a personal representative (such as an executor or administrator of the decedent’s estate) or next of kin of the decedent, as such notices may convey information about the decedent’s care the decedent never wished the emergency contact to have and/or may go to a person who has no authority to act on the notice.
Comment: To reduce the costs associated with sending breach notifications, one commenter asked that we adopt the Department of Labor’s standard for providing COBRA Election Notices to allow a covered entity to: (1) where a breach affects both a plan participant and the participant’s spouse, send one breach notice addressed to both if both spouses reside at the same address; and (2) where a breach affects a dependent child (of any age) under a plan, send a breach notice to either the plan participant and/or the participant’s spouse, provided the dependent child resides at the same address. The commenter stated the notice should clearly identify the individuals or classes of individuals to whom the notice applies.
Response: A covered entity is permitted to send one breach notice addressed to both a plan participant and the participant’s spouse or other dependents under the plan who are affected by a breach, so long as they all reside at a single address and the covered entity clearly identifies on the notice the individuals to which the notice applies. Further, a covered entity may send a notice regarding the breach of a dependent child’s protected health information addressed to the plan participant and/or participant’s spouse living with the dependent child, so long as the participant and/or participant’s spouse are the personal representatives of the dependent child and the notice clearly identifies to whom it applies. Such notices by first-class mail would meet the written notice requirements of § 164.404(d)(1)(i). However, one breach notice covering both the plan participant and the dependents under the plan mailed to the plan participant’s address would not suffice if the address of one or more dependents affected by the breach was different than the participant’s address. Further, where a plan participant (and/or spouse) is not the personal representative of a dependent under the plan, a covered entity must address a breach notice to the dependent himself or herself.
Comment: Several commenters expressed support for the acknowledgment in the preamble to the interim final rule that some covered entities may have obligations under Civil Rights laws to ensure that breach notifications are provided to individuals in alternative languages, and in alternative formats, such as Braille, large print, or audio, where appropriate. Some commenters requested additional guidance regarding how to ensure compliance with these laws with respect to breach notifications.
Response: Additional guidance on how to comply with Title VI of the Civil Rights Act of 1964, Section 504 of the Rehabilitation Act of 1973, and the Americans with Disabilities Act of 1990, is available on the OCR website at http://www.hhs.gov/ocr/civilrights/. Further, covered entities with questions on how to comply may contact one of OCR’s ten regional offices. Contact information is available at http://www.hhs.gov/ocr/office/about/rgn-hqaddresses.html.
Comment: Some commenters suggested that the final rule adopt a substitute notification provision similar to that in many State laws that allows for substitute notification, rather than direct written notice, to the individual in the event of breaches affecting a very large number of individuals, such as over 250,000 or 500,000, where the costs of notification would be extremely high.
Response: The Act does not waive direct written notice to the individual when a breach has affected a threshold number of individuals and we do not do so in this rule.
Comment: One commenter requested confirmation that a covered entity could make multiple attempts to provide direct written notice to individuals within the 60-day timeframe before the individual counts towards the 10 or more threshold for providing substitute Web or media notice.
Response: We clarify that a covered entity can attempt to cure out-of-date contact information on individuals when notices are returned as undeliverable by the United States Postal Service to avoid substitute notice so long as a covered entity does so promptly upon receiving the returned notices and no later than 60 calendar days from discovery of the breach. However, at the time the covered entity is aware that it will be unable to reach 10 or more individuals with direct written notice, the covered entity should provide substitute Web or media notice as soon as reasonably possible thereafter, which may be prior to the end of the 60-day period depending on the circumstances.
Comment: One commenter stated that the required content of the breach notice itself, when made available to the public through the web or media, could lead to the identification of individuals affected by the breach in some cases, undermining the intent of HIPAA’s privacy and security protections.
Response: It is unclear the circumstances to which the commenter refers. For example, the notification must include the types of protected health information involved (e.g., social security numbers, dates of birth, full names). However, this is not a requirement to include in the notice the actual names or other identifiers of the affected individuals. We believe covered entities are able to post breach notices in a manner that does not identify particular individuals affected by a breach and thus, must do so.
Comment: One commenter asked that OCR engage in an educational campaign to ensure that covered entities and business associates understand their obligations under the breach notification rule.
Response: Published guidance is the primary method that the Department uses to educate and provide technical assistance to covered entities and business associates. We intend to issue guidance on these requirements in the future as questions are raised or clarifications sought.
HHS Description and Commentary From the Interim Breach Rule Notification in the Case of Breach: Methods of Individual Notification - § 164.404(d) |
Section 13402(e)(1) of the Act provides for both actual written notice to the individual, as well as substitute notice to the individual if contact information is insufficient or out-of-date. Accordingly, the interim final rule at § 164.404(d) adopts the statutory provisions for actual and substitute breach notification to the individual. Section 164.404(d)(1)(i) requires a covered entity to provide breach notice to the individual in written form by first-class mail at the last known address of the individual. Consistent with the statute, the interim final rule also provides that written notice may be in the form of electronic mail, provided the individual agrees to receive electronic notice and such agreement has not been withdrawn. We note that, consistent with § 164.502(g) of the Privacy Rule, where the individual affected by a breach is a minor or otherwise lacks legal capacity due to a physical or mental condition, notice to the parent or other person who is the personal representative of the individual will satisfy the requirements of § 164.404(d)(1).
The statute also requires that, if the individual is deceased, notice must be sent to the last known address of the next of kin. The interim final rule adopts this provision at § 164.404(d)(1)(ii), but provides that such notice be sent to either the individual’s next of kin or personal representative, as such term is used for purposes of the Privacy Rule, recognizing that in some cases, a covered entity may have contact information for a personal representative of a deceased individual rather than the next of kin. We believe this conforms to the intent of the statute and improves consistency between this subpart and the Privacy Rule. Under 45 CFR 164.502(g), a “personal representative” of a deceased individual is a person who has authority to act on behalf of the decedent or the decedent’s estate. The interim final rule also clarifies that a covered entity is only required to provide notice to next of kin or the personal representative if the covered entity both knows the individual is deceased and has the address of the next of kin or personal representative of the decedent. This clarification should address some of the comments which raised both administrative and privacy concerns with a covered entity being required to obtain contact information for next of kin of a deceased patient, if the individual did not otherwise provide the information while alive.
If a covered entity does not have sufficient contact information for some or all of the affected individuals, or if some notices are returned as undeliverable, the covered entity must provide substitute notice for the unreachable individuals in accordance with § 164.404(d)(2) of the interim final rule. Substitute notice should be provided as soon as reasonably possible after the covered entity is aware that it has insufficient or out-of-date contact information for one or more affected individuals. Whatever form of substitute notice is provided, the notice must contain all the elements that § 164.404(c) requires be included in the direct written notice to individuals. With respect to decedents, however, the rule provides that a covered entity is not required to provide substitute notice for the next of kin or personal representative in cases where the covered entity either does not have contact information or has out-of-date contact information for the next of kin or personal representative.
Section 164.404(d)(2) requires that the substitute form of notice be reasonably calculated to reach the individuals for whom it is being provided. If there are fewer than 10 individuals for whom the covered entity has insufficient or out-of-date contact information to provide the written notice, § 164.404(d)(2)(i) permits the covered entity to provide substitute notice to such individuals through an alternative form of written notice, by telephone, or other means. For example, if the covered entity learns that the home address it has for one of its patients is out-of-date but it has the patient’s e-mail address, it may provide substitute notice by e-mail even if the patient has not agreed to electronic notice. Similarly, in the above example, if the covered entity has a current telephone number rather than e-mail address for the patient, then the covered entity may telephone the patient and provide the information required by the notice over the phone. We note however, that the covered entity should be sensitive to not unnecessarily disclose protected health information in the process of providing substitute notice, such as where the covered entity leaves an answering machine message that could be picked up by other household members.
In such cases, the covered entity should take care to limit the amount of information disclosed on an answering machine message, such as, for example, by leaving only its name and number and indicating it has a very important message for the individual. Alternatively, posting a notice on the web site of the covered entity or at another location may be appropriate if the covered entity lacks any current contact information for the patients, so long as the posting is done in a manner that is reasonably calculated to reach the individuals.
If a covered entity has insufficient or out-of-date contact information for 10 or more individuals, then § 164.404(d)(2)(ii) requires the covered entity to provide substitute notice through either a conspicuous posting for a period of 90 days on the home page of its web site or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. As described above, these substitute notifications must be provided in a manner that is reasonably calculated to reach the affected individuals. In addition, substitute notice through the website or media for 10 or more individuals requires the covered entity to have a toll-free phone number, active for 90 days, where an individual can learn whether the individual’s unsecured protected health information may be included in the breach and to include the number in the notice.
If the covered entity chooses to provide substitute notice on the home page of its web site, the notice must be conspicuous and posted for at least 90 days. A covered entity may provide all the information described at § 164.404(c) directly on its home page or may provide a hyperlink to the notice containing such information. We interpret “home page” to include the home page for visitors to the covered entity’s web site and the landing page or login page for existing account holders. If a covered entity uses a hyperlink on the home page to convey the substitute notice, the hyperlink should be prominent so that it is noticeable given its size, color, and graphic treatment in relation to other parts of the page, and it should be worded to convey the nature and importance of the information to which it leads.
Alternatively, or if the covered entity does not have or does not wish to use a web site for the substitute notice, the covered entity may provide substitute notice of the breach in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. What constitutes major print or broadcast media for a particular area will depend on the geographic area where the affected individuals are likely to reside and what is reasonably calculated to reach the affected individuals. We emphasize that what is considered major print or broadcast media for a metropolitan area may be very different from what is considered major print or broadcast media in a rural area. For example, if the affected individuals are reasonably likely to reside in a rural area, then a local newspaper could be the major newspaper serving that area and most likely to reach the individuals affected. For affected individuals in a metropolitan area, then a newspaper serving the entire metropolitan area or the entire State would be more likely to reach the individuals affected. If the affected individuals likely reside in different regions or States, then the covered entity may need to utilize multiple media outlets to reasonably reach these individuals.
Also, we clarify in this interim final rule that any notice in print or broadcast media under this section must be conspicuous, similar to the posting on the web site. Thus, for example, for notice in print media, thought should be given to what location and duration of the notice is reasonably calculated to reach the affected individuals. Some commenters were concerned that providing substitute notice in major media would be costly and onerous.
Covered entities that are concerned with the cost of providing substitute notice in this manner have the option of instead posting the substitute notice on their web sites. For smaller covered entities that do not have web sites, we would expect those covered entities generally serve a patient population located in a relatively compact and discrete area. In such cases, the geographic area in which the affected individuals reside would be comparably small, and, therefore, we do not believe that providing substitute notice in the appropriate local newspaper or television station would be excessively costly or onerous. Finally, we note that covered entities with out-of-date or insufficient contact information for some individuals can attempt to update the contact information so that they can provide direct written notification, in order to limit the number of individuals for whom substitute notice is required and, thus, potentially avoid the obligation to provide substitute notice through a web site or major print or broadcast media under §164.404(d)(2)(ii).
Other commenters were concerned that the requirement to include a toll-free phone number in the substitute media notice would overly burden a covered entity with calls from individuals unaffected by the breach. We note that the statute requires that covered entities include a toll-free phone number in cases where substitute notice is required for 10 or more individuals. Covered entities concerned with the number of calls they may receive from unaffected individuals may wish to include sufficient information in the notice itself or a web address in the notice for more information (or other means) as a way for individuals to determine whether their information may have been included in the breach.
Additional Notice in Urgent Situations
Finally, § 164.404(d)(3) of the interim final rule implements the provision in the statute at § 13402(e)(1)(c), which makes clear that notice by telephone or other means may be made, in addition to written notice, in cases deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information. We emphasize however that such notice, if utilized, is in addition to, and not in lieu of, the direct written notice required by § 164.404(d)(1)