123STA T . 2 6 1 PUBLIC LA W 111 –5—FE B.1 7, 2 0 0 9person, o th er th a n the i n d i v id u a lc o m mittin g the b reach, that is an emplo y ee, o f ficer, or other agent of such entity or associate, respectively ) or should reasonably have been k no w n to such entity or associate ( or person) to have occurred . (d) TIMEL I N E S S OFN O T IFI CA TION. — ( 1 ) I N G ENE R AL.— S ub j ect to subsection (g), all notifications re q uired under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved (or business associate involved in the case of a notification required under subsection (b)). ( 2 ) BU R D EN OF P ROOF.—The covered entity involved (or business associate involved in the case of a notification required under subsection (b)), shall have the burden of demonstrating that all notifications were made as required under this part, including evidence demonstrating the necessity of any delay. (e) M ET H ODS OF NOTICE.— (1) INDI V IDUAL NOTICE.—Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form
( A ) W ritten notification by first - class mail to the indi- vidual (or the ne x t of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if specified as a pref- erence by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available. (B) In the case in which there is insufficient, or out- of-date contact information (including a phone number, email address, or any other form of appropriate communica- tion) that precludes direct written (or, if specified by the individual under subparagraph (A), electronic) notification to the individual, a substitute form of notice shall be pro- vided, including, in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting for a period determined by the Secretary on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll-free phone number where an individual can learn whether or not the individual ’ s unsecured pro- tected health information is possibly included in the breach. ( C ) In any case deemed by the covered entity involved to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity, in addition to notice provided under subparagraph (A), may provide information to individuals by telephone or other means, as appropriate. (2) MEDIA NOTICE.—Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unsecured protected health information of more than 5 00 resi- dents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. Webposting.D e adl ine.
