123STA T . 2 6 2 PUBLIC LA W 111 –5—FE B.1 7, 2 0 0 9(3)NOTICE TO S EC R ET A R Y.— N oticeshal l b e pr o v i d ed to the S ecretar y by covered e n tities o fu nsecured protected health infor m ation that has been ac q uired or disclosed in a breach. I f the breach w as with respect to 50 0 or more individuals than such notice must be provided immediately. If the breach was with respect to less than 500 individuals , the covered entity may maintain a lo g of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved. ( 4 ) P OSTI NG ON H HS PUBL IC W EBSITE.— T he Secretary shall ma k e available to the public on the Internet website of the D epartment of H ealth and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed. (f) C ONTENT O F NOTIFICATION.— R egardless of the method by which notice is provided to individuals under this section, notice of a breach shall include, to the e x tent possible, the following
( 1 ) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. ( 2 ) A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code). (3) The steps individuals should take to protect themselves from potential harm resulting from the breach. (4) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches. (5) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll - free telephone number, an e-mail address, W eb site, or postal address. (g) DELAY OF NOTIFICATION AUTHORI Z E D FOR L AW E NFORCE- M ENT PURPOSES.—If a law enforcement official determines that a notification, notice, or posting required under this section would impede a criminal investigation or cause damage to national secu- rity, such notification, notice, or posting shall be delayed in the same manner as provided under section 1 6 4.52 8 (a)(2) of title 45, Code of F ederal Regulations, in the case of a disclosure covered under such section. (h) U NSECURED PROTECTED HEALTH INFORMATION.— (1) DEFINITION.— (A) IN GENERAL.—Sub j ect to subparagraph ( B ), for pur- poses of this section, the term ‘ ‘unsecured protected health information ’ ’ means protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under paragraph (2). (B) E X CEPTION IN CASE TIMELY GUIDANCE NOT ISSUED.— In the case that the Secretary does not issue guidance under paragraph (2) by the date specified in such para- graph, for purposes of this section, the term ‘‘unsecured protected health information’’ shall mean protected health information that is not secured by a technology standard that renders protected health information unusable, List.
