Suggested content for web page with instructions on posting website notices:
HIPAA Requirements for Posting Website Notice
The HIPAA Privacy Rule requires what is called “substitute notice” if 10 or more letters to your patients are returned as undeliverable. To do this substitute notice, a HIPAA covered entity is required to post a notice of the data security incident on the home page of its website.
In an effort to reduce the number of undelivered patient letters, Imperium performed a search of all patient addresses in the United States Postal Service National Change of Address Database (NCOA). However, we cannot guarantee all letters will be delivered, so we want to offer help to make this as easy as possible for you.
We recommend that you post the following notice on your home page with a link to the full notice on Imperium’s website:
Notice to Patients. Imperium Health Management, LLC, a company that helps manage the care of Medicare patients, was the target of an email phishing incident that may have exposed some of our patients’ information. Imperium is sending notices to all affected patients. For more information about the Imperium incident, please go to the Imperium website at: www.imperiumhealth.com/incidentnotice.
An alternative shorter notice would be the following content, where “Learn more” would itself be a clickable link to the full notice on Imperium’s website:
Notice of Vendor Data Security Incident. Learn more.
This notice should be posted on your homepage by August 17th (which is the date by which we will notify your patients). The notice should remain on your website for 90 days.
For any question, please contact firstname.lastname@example.org.