Methods of Notification

§164.404(d)
Methods of Notification.
The notification required by paragraph (a) of this section shall be provided in the following form:
(1)(i) Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information becomes available.
(ii) If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual (as specified under §164.502(g)(4) of subpart E) , written notification by first-class mail to either the next of kin or personal representative of the individual is required. The notification may be provided in one or more mailings as information is available.
(2) Substitute notice. In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual under this paragraph (d)(1)(i) of this section, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of the individual under paragraph (d)(1)(ii).
(i) In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then substitute notice may be provided by an alternative form of written notice, telephone, or other means.
(ii) In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: (A) Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in a major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and (B) Include a toll-free number that remains active for at least 90 days where an individual can learn whether the individual’s unsecured protected health information may be included in the breach.
(3) In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (d)(1) of this section.

Audit Inquiry

§164.404(d)
Methods of Notification
Does the covered entity have policies and procedures for notifying an individual, an individual’s next of kin, or a personal representative of a breach?

Obtain and review the covered entity’s policies and procedures for notifying individuals, next of kin, or personal representatives of a breach to determine whether they are consistent with §164.404(d), including the following:

• Do the policies and procedures provide that notice will be provided by first-class mail unless the individual has agreed to receive an electronic notice?
If there is a process for individuals to agree to receive electronic notice, is there also a process to address circumstances where an individual withdraws such agreement?

• Do the policies and procedures provide that the covered entity will send the notification to the next of kin or personal representative where the covered entity has knowledge that the individual is deceased and has the address of the next of kin or personal representative?

• Do the policies and procedures address the provision of substitute notice consistent with §164.404(d)(2), including:
o Alternative means for providing notification to individuals if there is insufficient or out-of-date contact information for fewer than 10 individuals
o If insufficient or out-of-date contact information for 10 or more individuals
– Posting a conspicuous notice on the home page of the covered entity’s web site or publishing conspicuous notices in major print or broadcast media in the geographic area(s) where the affected individuals likely reside
-Establishing a toll-free phone number that remains active for at least 90 days.

Did the covered entity determine that there were any breaches within the specified period that required substitute notice? Obtain and review documentation of substitute notices:
1. If insufficient or out-of-date contact information for fewer than 10 individuals, documentation of notice provided by alternative means, such as a log of telephone call
2. if insufficient or out-of-date contact information for 10 or more individuals, documentation of a conspicuous posting on the home page of the covered entity’s web site or a copy of conspicuous notices in major print or broadcast media and documentation of a toll-free phone number that remained active for at least 90 days.
Review selected notices and verify that the notices were provided consistent with these requirements.