Gunster health law leader Bruce D. Lamb identifies data breach obligations if your business is subject to compliance under the Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA.

Watch the video now:

Video produced by Charles Belvin Productions

Your business obligations under HIPAA after a data breach

If you are subject to compliance under the federal Health Insurance Portability and Accountability Act of 1996, you also have certain obligations in the event there is a breach of HIPAA-protected information.

First, an online report of the data breach must be submitted to the U.S. Health and Human Services secretary within 60 days of the discovery of the breach.

In addition, if the breach affects 500 or more people, you must notify the affected individuals without unreasonable delay in written form plus place a notice on your website or to print or broadcast media where affected individuals likely reside. You must also establish a toll-free phone number should be included on all of these notices and must remain active for at least 90 days after notification of the breach.

A press release should also be provided to media outlets serving the affected area. You can designate that you are reporting the breach as a covered entity on behalf of a business associate, if that is applicable.

In addition to all of these data breach notification obligations, there may be notification obligations to the state of Florida as well.


Find a Professional

by Name

by Practice/Office