Notification to the Secretary

§164.408
Notification to the Secretary.
(a) A covered entity shall, following the discovery of a breach of unsecured protected health information as provided in § 164.404(a)(2), notify the Secretary.
(b) For breaches of unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in § 164.412, provide the notification required by paragraph (a) of this section contemporaneously with the notice required by § 164.404(a) and in the manner specified on the HHS Web site.
(c) For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS Web site.

Audit Inquiry

§164.408
Notification to the Secretary
Does the covered entity have policies and procedures for notifying the Secretary of breaches involving 500 or more individuals? Does the covered entity have policies and procedures for notifying the Secretary of breaches involving less than 500 individuals? Obtain and review policies and procedures. Evaluate whether the specifications at §164.408 are met.

Obtain and review a list of breaches, if any, in the previous calendar year involving 500 or more individuals, and the related notifications made to the Secretary and copies of a single written notice sent to affected individuals . Obtain and review documentation (to include but not be limited to documentation of discovery of the breach) that validates the related notifications provided to the Secretary in the previous calendar year. Determine whether contemporaneous notifications were provided to the Secretary consistent with the requirement in §164.408.

Obtain and review a list of breaches, if any, in the specified period involving fewer than 500 individuals. Obtain and review documentation of the related notifications provided to the Secretary and a single written notice provided to affected individuals. Evaluate whether the notifications were provided to the Secretary within 60 calendar days of the end of the calendar year in which the breach was discovered, consistent with the requirement in §164.408. Verify that the notices include the elements required by §164.408.