Comment on FR Doc # E9-20169

Document ID: HHS-OCR-2009-0010-0003
Document Type: Public Submission
Agency: Department Of Health And Human Services
Received Date: August 25 2009, at 07:46 AM Eastern Daylight Time
Date Posted: August 25 2009, at 12:00 AM Eastern Standard Time
Comment Start Date: August 24 2009, at 12:00 AM Eastern Standard Time
Comment Due Date: October 23 2009, at 11:59 PM Eastern Standard Time
Tracking Number: 80a115d4
View Document:

This is comment on Rule

Breach Notification for Unsecured Protected Health Information

View Comment

There appears to be a technical error in paragraph 164.408(c) “Breaches involving less than 500 individuals”, which states: “… not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches occurring during the preceding calendar year …” Please note that a covered entity might not become aware of a breach until several months after it occurred. As it currently reads, the regulation might require a covered entity to notify the Secretary before becoming aware of the breach. I recommend revising that paragraph to read “… not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches of which the covered entity became aware during the preceding calendar year …”

Related Comments

View All

Total: 113

Comment on FR Doc # E9-20169
Public Submission Posted: 08/25/2009 ID: HHS-OCR-2009-0010-0002