This document provides guidelines for notifying individuals of a data breach under HIPAA and HITECH regulations. It outlines three steps: 1) determine the level of harm caused by assessing what data was exposed, 2) document the data exposure and harm level, and 3) notify affected individuals and regulatory agencies as required, consulting legal counsel. Notification requirements depend on the type of data lost and level of harm, such as reputational, financial, or other harm.