X-HIPAA-BREACH Informational

Provide HIPAA Breach Notification

Official citation: HIPAA Breach Notification Rule

Class: informational · Severity: high

Statement of the obligation — verify against source

HIPAA Breach Notification Rule

What it means

Beyond securing ePHI, HIPAA requires you to tell people when it is exposed. The clock is 60 days from discovery; large breaches also trigger HHS and media notice. Business associates (most contractors) must promptly tell the covered entity they serve.

Required by

VAAR — VAAR 852.224-71
— 45 CFR 164.400-414
HITECH — 45 CFR 164.400-414
HHSAR — HHSAR 352.224-71

Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.