Covered entities and business associates should consider which entity is in the best position to provide notice to the individual. In the case of a breach involving a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. The notification must include a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable). These individual notifications must be provided as soon as feasible and no later than 60 days following the disclosure of a breach.
0 kommentar(er)
