Media Notification – New HIPAA Compliance Rule

The following guest post is provided by Alex Zaltsman, CEO of Experior Data Security and Encryption

According to HealthLeaders Media, “As for enforcement, Congress promised in ARRA “periodic audits” to ensure HIPAA compliance. Government officials told HealthLeaders Media in September they weren’t sure what that meant, and Apgar says OCR still does not have a definitive plan. Likely, they will not publish a plan until second quarter 2010.”

Sounds like 2009 was the year of the healthcare law revisions. 2010 looks like it may be the year of enforcement. Understanding compliance issues and notification rules needs to be a priority for every provider and business associate effected by HIPAA.

In cases when a breach of more than 500 records has occured, media notification, part of the new breach notification rule in the HITECH Act (Section 13402 of ARRA), is required.  The Interim Final Rule on Breach Notification preamble discusses how the U.S. Department of Health and Human Services (HHS) expects the media to be notified in such cases. Note that HHS considers media notification to be relative to where the residents live, not the location of the covered entity or business associate.

  • If the residents in the unsecured protected health information (PHI) live in a particular city the breach notification should be sent to the prominent media outlet serving that city. A prominent media outlet could be a television station or newspaper (no preference is given).
  • If the residents in the unsecured protected health information (PHI) are spread across a state the prominent media outlet must serve the entire state.
  • If the total amount of records breached is over 500 but the residents live in multiple states and not more than 500 are in any one state then media notification is not required.  Although media notification is not required, notification to the individuals is still required.
  • If the total amount of records breached is over 500 in more than one state media notification is required to the prominent media outlet in each state.

HHS expects the notification to the media to be in form of a press release. It should be noted that you can avoid media notification and notification to individuals by encrypting protected health information (PHI).

About Alex Zaltsman
Alex Zaltsman is the CEO of
Experior Data Security and Encryption. Experior specializes in implementing and supporting on-premise and on-demand data encryption solutions for regulatory compliance, including HIPAA and the HITECH Act within ARRA.  He can be reached at, through his blog or on Twitter @experiordata