Q&A: Posting security notice on website

February 18, 2021
Medicare Web

Q: If our organization suffers a breach, we must post a security notice on our website. How long must this security notice stay on the site?

A: As a CE, if you have a breach of unsecured PHI, you must notify affected individuals, the Secretary of Health & Human Services, and, in some circumstances, the media. You must provide written notice to affected individuals by first-class mail or email if the individual has agreed to receive such notices electronically.

If you have insufficient or out-of-date contact information for 10 or more individuals, you must provide substitute notice by either posting the notice on the home page of your website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. You must include a toll-free number that remains active for at least 90 days where individuals can learn if their information was involved in the breach.

If you have insufficient or out-of-date contact information for fewer than 10 individuals, you may provide substitute notice by an alternative form of written notice, by telephone, or other means.

Editor's note: Mary D. Brandt, MBA, RHIA, CHE, CHPS is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to editor Kevin Duffy at kduffy@hcpro.com.


Related Topics: 
Ask the Expert, HIPAA