45 CFR 164.404 Explained: HIPAA Breach Notification to Individuals—Requirements, Timelines, and Exceptions
HIPAA Breach Notification to Individuals
Under 45 CFR 164.404, covered entities must notify affected individuals when a breach of unsecured protected health information occurs. “Unsecured” means the data was not rendered unusable, unreadable, or indecipherable to unauthorized persons through approved encryption or destruction.
Before you decide to notify, you must complete a risk assessment. HIPAA presumes an impermissible use or disclosure is a breach unless your documented assessment shows a low probability that the PHI was compromised. Your breach investigation should start immediately to contain the incident and determine scope.
What your breach investigation should establish
- Nature and extent of PHI involved (data elements, sensitivity, likelihood of re-identification).
- Who used or received the PHI and their obligations to protect it.
- Whether the PHI was actually acquired or viewed.
- Mitigation measures taken (e.g., retrieval, deletion, confidentiality assurances).
If the incident is a breach of unsecured protected health information, you must notify each affected individual in plain language and keep thorough documentation of your findings and actions.
Notification Timelines
You must provide notice without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. A breach is “discovered” on the first day it is known—or would have been known with reasonable diligence—by the covered entity, including any workforce member or agent.
- Business associates must notify the covered entity without unreasonable delay and no later than 60 days from their discovery so the notification timeline can be met.
- Law enforcement may request a delay; honor any documented delay period before sending notices.
- Act well before day 60. Build your internal notification timeline with milestones for investigation, drafting, review, and mailing.
Method of Notification
Provide written notice by first-class mail to the individual’s last known address. You may use email if the individual has agreed to electronic notice. If the individual is deceased and you know the address, send the notice to the next of kin or personal representative.
Substitute notice when contact information is insufficient
- Fewer than 10 individuals: Use an alternative method such as telephone, email, or other means.
- 10 or more individuals: Provide a conspicuous posting on your website home page for at least 90 days or a notice in major print or broadcast media in the affected area, and include a toll‑free number active for at least 90 days.
If there is possible imminent misuse of PHI, provide urgent notice by telephone or other immediate means in addition to the written notice.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Exceptions to Notification
You do not need to notify individuals if one of the following applies:
- Secure PHI safe harbor: The PHI was secured (e.g., properly encrypted or destroyed) consistent with HHS guidance.
- Three narrow Privacy Rule exceptions: (1) Unintentional acquisition, access, or use by a workforce member acting in good faith within authority; (2) Inadvertent disclosure by an authorized person to another authorized person within the same organization; (3) A good‑faith belief the unauthorized recipient could not reasonably have retained the information.
- Documented low probability of compromise based on your risk assessment.
- Law enforcement delay: Notification is deferred—not eliminated—during an authorized delay period.
Content Requirements of Notification
Each notice must be clear, concise, and written in plain language. Include the following elements so individuals can protect themselves and understand your response:
- A brief description of what happened, including the date of the breach and the date of discovery (if known).
- The types of information involved (e.g., names, addresses, dates of birth, medical record numbers, diagnoses, treatment details, Social Security numbers).
- Steps individuals should take to protect themselves (credit monitoring, password resets, fraud alerts, monitoring EOBs).
- What you are doing: your breach investigation actions, mitigation measures to reduce harm, and safeguards implemented to prevent a recurrence.
- How to get help: contact procedures, including a toll‑free number, email address, website, or postal address.
Reporting to Authorities
In addition to notifying individuals, report to the Secretary of Health and Human Services through the HHS Office for Civil Rights. For breaches involving 500 or more individuals, report without unreasonable delay and no later than 60 calendar days from discovery. For fewer than 500 individuals, log the incident and report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.
If a breach affects more than 500 residents of a state or jurisdiction, provide notice to prominent media serving that area. Maintain documentation of your risk assessment, mitigation, notices, and reports for at least six years to demonstrate compliance.
Conclusion
45 CFR 164.404 requires timely, transparent notification to individuals when unsecured protected health information is breached. Anchor your response in a documented risk assessment, follow the notification timeline, deliver notices using the approved methods, include all required content, and complete required reporting to authorities.
FAQs.
What information must be included in a HIPAA breach notification?
Your notice must explain what happened (with breach and discovery dates), list the types of PHI involved, outline steps individuals should take, describe your breach investigation and mitigation measures, and provide clear contact information for questions or assistance.
When must covered entities notify individuals after a breach?
You must notify without unreasonable delay and no later than 60 calendar days after discovery. Discovery occurs when the breach is known—or should have been known with reasonable diligence—by the covered entity. Business associates must promptly inform the covered entity so this deadline can be met, and any authorized law enforcement delay must be honored.
What exceptions exist for breach notification under 45 CFR 164.404?
No notification is required if the PHI was secured via approved encryption or destruction, if one of the three narrow Privacy Rule exceptions applies, or if your documented risk assessment shows a low probability of compromise. Notification may also be delayed when requested by law enforcement.
How must notifications be delivered to affected individuals?
Send written notice by first‑class mail to the last known address or by email if the individual agreed to electronic notice. If 10 or more individuals have insufficient or out‑of‑date contact information, provide substitute notice via a 90‑day website posting or major media plus a toll‑free number. For fewer than 10, use an alternative method such as telephone. Provide urgent telephone notice if there is an imminent risk of misuse.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.