HITECH Subtitle D, Explained: Breach Notification Without the Panic

Breach notifications aren’t punishment; they’re how healthcare organizations keep trust when something goes wrong. HITECH Subtitle D sets the federal ground rules for telling people what happened, what you’re doing about it, and how they can protect themselves—without grinding your clinic to a halt.

For small practices across Fort Myers, Naples, Cape Coral, and Sarasota, the difference between chaos and calm is understanding two things: what legally counts as a breach, and how the timelines actually work once you discover one.

What really counts as a “breach”

Under federal rules, a breach is an unauthorized acquisition, access, use, or disclosure of unsecured PHI. “Unsecured” usually means not properly encrypted. If data is encrypted to NIST-accepted standards, you may have “safe harbor” and no breach notification is required.

If PHI was exposed, you assess the probability of compromise (considering the nature of the data, who saw it, whether it was actually viewed, and whether risks were mitigated). If that probability is more than low, you treat it as a breach and move to notice.

The clock and who it applies to

• The 60-day outside limit: Covered entities must notify without unreasonable delay and no later than 60 calendar days after discovery. Don’t wait for a perfect forensics report if the clock is ticking.

• Business Associates: Notify the covered entity without unreasonable delay (your contract may require faster). The covered entity handles individual notice unless your agreement says otherwise.

• Law enforcement hold: You can delay notice if law enforcement provides a written statement that notice would impede an investigation.

Who must be notified (and how)

• Individuals: Notify each affected person by first-class mail (or email if they’ve agreed). The notice explains what happened, what information was involved, what you’re doing, and how to get help.

• HHS:

  • 500+ individuals (in a single state/jurisdiction): Notify HHS at the same time as individuals.

  • Fewer than 500: Log the incident and report to HHS within 60 days after year-end.

• Media: If 500+ individuals in a state/jurisdiction are affected, notify prominent media there.

• Substitute notice: If you can’t reach 10+ people, post substitute notice (e.g., website notice or media).

What “good” looks like for small practices

• Encryption and inventory: The easy wins—full-disk encryption for

  laptops/mobile, and a living list of systems/vendors that touch PHI.

• A one-page comms plan: A ready-to-personalize template for individual notices, a plain-English explainer for staff, and media/FAQ language you can use if needed.

• Roles and evidence: Know who signs off, where you’ll pull logs, and how you’ll document the timeline. Review quarterly; it takes minutes when nothing’s wrong and hours when something is.

The moment that matters

In real life, breaches often start small: a misdirected email, an impersonated “CEO” message, a lost tablet, a misconfigured share. The practices that keep trust aren’t the ones that never stumble—they’re the ones that communicate quickly, clearly, and credibly, then show what changed.

At MET Florida, our Managed HIPAA Compliance program is built around that posture: prevent what you can (encryption, identity, email authentication), prepare for what you can’t (clear roles, current contacts), and move fast when seconds suddenly matter.

FAQs

Is ransomware automatically a breach? Generally, presume a breach unless you can show a low probability of compromise after a documented assessment. Many ransomware events trigger notification but not all.

Do we have to wait for forensics to finish before notifying? No. The rule says “without unreasonable delay” and no later than 60 days. You can update details later; don’t let the perfect delay the required.

If the data was encrypted, do we still notify? Often no—proper encryption can qualify for safe harbor. Document it.

Who sends the notices—us or our IT vendor? The covered entity is responsible. Your Business Associate (MSP, EHR, billing) must inform you promptly and provide details you need.

What goes in the notice to individuals? A brief description of what happened, what was involved, what you’re doing, recommended steps they can take, and how to reach you.

Can we delay because law enforcement asked? Yes—if they provide a written statement that notice would impede an investigation. Keep it on file.

Does a misdirected fax or email always count as a breach? Not always. If you confirmed the recipient didn’t read/retain the PHI (and documented it), you may find low probability of compromise. Document the assessment either way.

Bottom line: Breach notification isn’t about blame—it’s about trust. Encrypt what you can, prepare simple comms, and move quickly. Your patients (and partners) will remember the clarity more than the incident.

This article is informational, not legal advice. For help aligning your policies and evidence with HITECH, book a 15-minute consult

Want help turning your environment audit-ready? MET Florida can help.

Start with a free consultation and we'll show you why MET Florida is trusted by hundreds of local businesses in Southwest Florida.

For more information about our Managed IT service and other services check out our service offerings

Running a medical office? MET Florida specializes in medical practices just like yours, check out our Managed HIPAA compliance services.