45 CFR 164.400 Explained: Who the HIPAA Breach Notification Rule Applies To

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

45 CFR 164.400 Explained: Who the HIPAA Breach Notification Rule Applies To

Kevin Henry

HIPAA

October 27, 2025

8 minutes read
Share this article
45 CFR 164.400 Explained: Who the HIPAA Breach Notification Rule Applies To

Overview of the HIPAA Breach Notification Rule

45 CFR 164.400–164.414 (Subpart D of the Health Insurance Portability and Accountability Act) sets nationwide standards for Breach Notification when Protected Health Information is compromised. The rule applies when there is a breach of Unsecured PHI—information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons.

At a high level, the rule applies to two groups: Covered Entities and Business Associates. If you create, receive, maintain, or transmit PHI in either role, you must assess incidents, determine if a reportable breach occurred, and provide timely notifications to affected individuals, the Secretary of Health and Human Services, and, in some cases, the media.

What the rule covers

  • Impermissible uses or disclosures of Unsecured PHI.
  • Risk assessment to determine the probability of compromise.
  • Notification content, methods, and timelines.
  • Responsibilities shared across Covered Entities and Business Associates.

Definition of Covered Entities

A Covered Entity is one of the following under HIPAA: a health plan, a health care clearinghouse, or a health care provider who transmits health information electronically in connection with standard transactions (such as claims, eligibility inquiries, or referrals). If you are a provider using electronic billing or a plan administering benefits, you are a Covered Entity for purposes of breach notification.

Examples include hospitals, physician practices, dental offices, pharmacies, health insurers, HMOs, employer-sponsored group health plans, and third-party administrators acting as health plans. Hybrid organizations must ensure their designated health care components comply with the Breach Notification requirements.

Identification of Business Associates

A Business Associate is any person or organization, other than a workforce member, that performs services for or on behalf of a Covered Entity that involve PHI. If you handle PHI for functions like claims processing, data analysis, billing, cloud hosting, IT support, legal, or accreditation, you are likely a Business Associate.

Subcontractors that create, receive, maintain, or transmit PHI on behalf of a Business Associate are also Business Associates. They are directly liable for compliance and must have written Business Associate Agreements that set out permitted uses of PHI and breach reporting duties.

Requirements for Breach Notification

What triggers notification

A breach is an impermissible use or disclosure of Unsecured PHI that compromises its security or privacy. An incident is presumed a breach unless you demonstrate a low probability of compromise based on a documented risk assessment.

Required risk assessment

  • The nature and extent of PHI involved, including sensitivity and likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk has been mitigated.

You may consider other relevant factors, but your analysis must support a defensible “low probability of compromise” to avoid notification.

Key exceptions

  • Unintentional access or use by a workforce member or Business Associate in good faith and within scope, without further impermissible disclosure.
  • Inadvertent disclosure between authorized persons within the same organization (or Business Associate) without further violation.
  • Good-faith belief that the unauthorized recipient could not reasonably have retained the information.

Safe harbor for secured PHI

If PHI is properly encrypted or destroyed per HHS guidance, it is not Unsecured PHI, and the Breach Notification obligations under 45 CFR 164.400 do not apply. Using strong encryption and robust disposal methods meaningfully reduces your notification risk.

Discovery and timing

A breach is “discovered” on the first day it is known to you—or should reasonably have been known—by any workforce member or agent (other than the person committing the breach). You must act without unreasonable delay and no later than 60 calendar days from discovery.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Effective Dates and Applicability

The Breach Notification Rule became effective on September 23, 2009, and was updated by the 2013 HIPAA Omnibus Final Rule, with a compliance date of September 23, 2013. The rule applies to Covered Entities and Business Associates, including subcontractors, for breaches discovered on or after these effective dates.

Your obligations apply nationwide and operate alongside other HIPAA requirements and, where applicable, state privacy or data breach laws. When both apply, you must meet the most protective standards and the shortest timeline.

Notification Procedures

Notify affected individuals

  • When: Without unreasonable delay and no later than 60 days after discovery.
  • How: First-class mail to the last known address, or email if the individual has agreed to electronic notice.
  • Urgent notice: Use telephone or other immediate means if imminent misuse is likely.
  • Substitute notice: If contact information is insufficient or out of date:
    • Fewer than 10 individuals: Use an alternative method, such as a phone call or email.
    • 10 or more individuals: Post a conspicuous website notice or provide major media notice for at least 90 days and offer a toll-free number.

Content of individual notice

  • Brief description of what happened, including dates of breach and discovery (if known).
  • Types of PHI involved (for example, names, diagnoses, Social Security numbers).
  • Steps individuals should take to protect themselves.
  • What you are doing to investigate, mitigate harm, and prevent future incidents.
  • Contact methods for questions (toll-free number, email, website, or postal address).

Notify the Secretary of Health and Human Services

  • 500 or more affected individuals: Notify the Secretary without unreasonable delay and no later than 60 days from discovery.
  • Fewer than 500 affected individuals: Log the breach and notify the Secretary within 60 days after the end of the calendar year in which the breach was discovered.

Notify the media (large breaches)

If a breach affects more than 500 residents of a state or jurisdiction, provide notice to prominent media outlets serving that area without unreasonable delay and no later than 60 days from discovery, in addition to individual notices.

Business Associate to Covered Entity

  • Timing: Without unreasonable delay and no later than 60 days after discovery.
  • Details: Identify each affected individual and share all available information the Covered Entity needs to complete its notices.

Law enforcement delay

You may delay notifications if a law enforcement official states that notice would impede a criminal investigation or cause damage to national security. Follow the time period specified in the written statement (or, for an oral statement, document and delay for no longer than 30 days unless a written statement is received sooner).

Role of the Secretary of Health and Human Services

The Secretary of Health and Human Services administers and enforces the Breach Notification Rule. The Secretary issues guidance on technologies and methodologies for securing PHI, receives and reviews breach reports, and maintains a public breach reporting portal for large incidents.

HHS investigates potential noncompliance, enters into resolution agreements and corrective action plans, and can impose civil monetary penalties. Guidance from the Secretary helps you interpret “Unsecured PHI,” align security controls, and standardize Breach Notification practices across Covered Entities and Business Associates.

Conclusion

45 CFR 164.400 clarifies that Breach Notification responsibilities attach to any Covered Entity or Business Associate that handles Unsecured PHI. By understanding who the rule applies to, how a breach is defined, and what, when, and to whom you must notify, you can respond quickly, reduce harm to individuals, and demonstrate compliance with HIPAA’s privacy and security framework.

FAQs

Who qualifies as a covered entity under 45 CFR 164.400?

Health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions are Covered Entities. Examples include hospitals, clinics, pharmacies, health insurers, HMOs, and employer-sponsored group health plans.

What triggers a breach notification under this rule?

An impermissible use or disclosure of Unsecured PHI that compromises its security or privacy triggers notification, unless you document a low probability of compromise after assessing the nature and extent of PHI, the unauthorized recipient, whether it was actually viewed or acquired, and the mitigation steps taken.

When must business associates notify covered entities of a breach?

Business Associates must notify the relevant Covered Entity without unreasonable delay and no later than 60 calendar days after discovering the breach, providing the identities of affected individuals and information needed for the Covered Entity’s notices.

What are the notification timelines required by this regulation?

You must notify affected individuals, the Secretary of Health and Human Services, and, for large incidents, the media without unreasonable delay and in no case later than 60 days from discovery. For breaches affecting fewer than 500 individuals, you may report to the Secretary annually within 60 days after the end of the calendar year in which the breaches were discovered.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles