The new HHS Rule implements the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which was included as part of the Recovery Act. HITECH mandates that Covered Entities and their business associates provide notification to affected patients when there is a “breach” of “unsecured” protected health information.[1] While there are nuances and exceptions that may apply, a “breach” generally occurs anytime there is an “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.”[2] What constitutes “unsecured” protected health information is a more technical question. Essentially, it means “protected health information that is not secured through the use of a technology or methodology” that renders protected health information “unusable, unreadable, or indecipherable to unauthorized individuals.”[3] Depending on the nature of the breach, the HHS Rule may require notice to affected patients, the Secretary of HHS, and the media.[4] The HHS Rule also outlines the specific content within notifications, such as a description of what happened, the type of information involved, steps individuals should take to protect themselves from harm, and contact information to learn more information.[5]