Q&A: Breach notification placement on website

Q: Following a breach, many organizations post a breach notification letter to their website. Is there a particular spot on the site that it must be posted? Can the link to the notification letter be posted anywhere on the homepage?

A: Covered entities (CE) must notify affected individuals when a breach of unsecured PHI is discovered. This individual notice must be provided in writing by first-class mail or email (if the individual has agreed to receive such notices electronically). If the CE has insufficient or out-of-date contact information for 10 or more individuals, the CE must provide a substitute notice by posting the notice on the homepage of its website for at least 90 days or providing the notice in major print or broadcast media where the affected individuals likely reside. The CE must include a toll-free number that remains active for at least 90 days where individuals can learn if their information was involved in the breach.

The link to the notification letter may be posted anywhere on the homepage where individuals are likely to see it.

Editor's note: Mary D. Brandt, MBA, RHIA, CHE, CHPS is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to editor Kevin Duffy at kduffy@hcpro.com.