When must the secretary of HHS be contacted along with a media outlet to provide breach notification?

The correct answer is based on the requirements set forth by the HIPAA Privacy Rule regarding breach notifications. Specifically, when a breach of unsecured protected health information (PHI) affects 500 or more individuals, the HIPAA-covered entity must notify the Secretary of Health and Human Services (HHS) in addition to notifying the affected individuals.

This requirement is part of the regulations to ensure that significant breaches, which can impact a large number of individuals and have a broader public interest or public health concern, are reported to the federal authority. The act of notifying both the secretary and a media outlet in such cases helps ensure transparency and promotes awareness, which is crucial for maintaining public trust and protecting individuals' health information.

For smaller breaches involving fewer than 500 individuals, while the affected individuals must still be notified, there is no requirement to contact the Secretary of HHS until they aggregate those breaches, but this threshold does not apply to instances where 500 or more individuals are involved.