In the event of a breach of unsecured protected health information (PHI) affecting approximately 900 patients, who must be notified?

In the case of a breach of unsecured protected health information (PHI) involving around 900 patients, the appropriate course of action includes notifying affected patients and also notifying prominent local media outlets. This requirement stems from the Health Insurance Portability and Accountability Act (HIPAA) regulations concerning breach notification.

Under HIPAA, if a breach affects 500 or more individuals, covered entities must notify the affected individuals and also report the breach to the Secretary of Health and Human Services. However, in situations where the breach involves fewer than 500 individuals, although the Secretary must still be notified within a specific timeframe, the emphasis on notifying local media is critical to ensure that the affected community remains informed. This dual notification process ensures that individuals are aware of potential risks related to their protected health information while also engaging the community through media channels to increase awareness and vigilance.

This approach reinforces the commitment to transparency and accountability in handling personal health information, which is fundamental in maintaining patient trust and meeting regulatory standards.