Media notification is required when a breach of more than 500 records has occurred.  The Interim Final Rule preamble discusses how the U.S. Department of Health and Human Services (HHS) expects the media to be notified in case a breach of over 500 records occurs. Note that HHS considers media notification to be relative to where the residents live, not the location of the covered entity or business associate.

• If the residents in the unsecured protected health information (PHI) live in a particular city the breach notification should be sent to  the prominent media outlet serving that city. A prominent media outlet could be a television station or newspaper (no preference is given).
• If the residents in the unsecured protected health information (PHI) are spread across a state the prominent media outlet must serve the entire state.
• If the total amount of records breached is over 500 but the residents live in multiple states and not more than 500 are in any one state then media notification is not required.  Although media notification is not required, notification to the individuals is still required.
• If the total amount of records breached is over 500 in more than one state media notification is required to the prominent media outlet in each state.

The content in the media notification is identical to the content required for individual notification:

• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
• A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
• Any steps individuals should take to protect themselves from potential harm resulting from the breach.
• A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.
• Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web address, or postal address.
  

..

HHS expects the notification to the media to be in form of a press release.

..

It should be noted that you can avoid media notification and notification to individuals by encrypting protected health information (PHI) .