In a strongly-worded letter sent and signed by six congressmen to HHS Secretary Kathleen Sebelius the message was clear: remove the harm assessment that lawmakers rejected when writing the privacy regulations into ARRA. The harm standard essentially says that in case of a breach the covered entity must make an assessment of whether or not the breach can cause reputational, financial, and other types of harm.  This leaves open the possibility that a covered entity could decide to act in its own interest and make the decision not to follow the directives written into the breach notification ruling.

..

There are, of course, two sides of the sword. On one hand it’s difficult to enforce a policy with subjective elements present, such as the harm assessment. It is unlikely that a covered entity would risk the substantial fines, now as high as $1.5 million, and the possibility of criminal prosecution to avoid notification in case a serious breach occurs. However, the harm assessment leaves that possibility open.

..

A drawback to removing the harm assessment is that it is possible that, ironically, that too many breach notifications are sent to people, thereby creating a “boy that cries wolf” effect. In a perfect world breaches would never happen, so there would not need to be a reason to notify people. However, we all know that not to be the reality. Breaches do occur, intentional or not. And people need to be notified as soon as possible. Should covered entities be given the privilege of deciding the severity of the harm and potentially choosing not to notify people? We shall see the next steps Congress and HHS will take.

Media notification is required when a breach of more than 500 records has occurred.  The Interim Final Rule preamble discusses how the U.S. Department of Health and Human Services (HHS) expects the media to be notified in case a breach of over 500 records occurs. Note that HHS considers media notification to be relative to where the residents live, not the location of the covered entity or business associate.

• If the residents in the unsecured protected health information (PHI) live in a particular city the breach notification should be sent to  the prominent media outlet serving that city. A prominent media outlet could be a television station or newspaper (no preference is given).
• If the residents in the unsecured protected health information (PHI) are spread across a state the prominent media outlet must serve the entire state.
• If the total amount of records breached is over 500 but the residents live in multiple states and not more than 500 are in any one state then media notification is not required.  Although media notification is not required, notification to the individuals is still required.
• If the total amount of records breached is over 500 in more than one state media notification is required to the prominent media outlet in each state.

The content in the media notification is identical to the content required for individual notification:

• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
• A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
• Any steps individuals should take to protect themselves from potential harm resulting from the breach.
• A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.
• Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web address, or postal address.
  

..

HHS expects the notification to the media to be in form of a press release.

..

It should be noted that you can avoid media notification and notification to individuals by encrypting protected health information (PHI) .