45 CFR 164.410 Explained: HIPAA Breach Notification Requirements for Business Associates

Overview of 45 CFR 164.410

45 CFR 164.410 is the HIPAA Breach Notification Rule section that requires business associates to notify covered entities when a breach of unsecured protected health information is discovered. It sits within HIPAA’s Subpart D, which prescribes what happens after an impermissible disclosure or other incident compromises privacy.

Scope and purpose

The rule activates when you discover, or by exercising reasonable diligence should have discovered, a breach of unsecured PHI. Its purpose is to ensure timely notification to the covered entity so individuals, regulators, and—if necessary—the media can be notified under related provisions, keeping your HIPAA compliance program responsive and accountable.

Key terms

• Protected health information (PHI): Individually identifiable health data maintained or transmitted by a HIPAA-regulated entity.
• Unsecured PHI: PHI not rendered unusable, unreadable, or indecipherable through accepted methods (for example, strong encryption). Breach duties focus on unsecured PHI.
• Business associate (BA): A person or organization performing services for a covered entity that involve PHI.
• Covered entity (CE): A health plan, health care clearinghouse, or health care provider that transmits health information in electronic form.

Business Associates' Breach Notification Duties

Immediate actions upon discovery

• Contain the incident quickly: isolate systems, revoke access, and begin mitigation steps (such as password resets, remote wipe, and key rotation).
• Launch and document a breach risk assessment to determine if there is a low probability that PHI was compromised.
• Preserve evidence: retain logs, emails, tickets, and timelines to support the investigation and future reporting.

Notification to covered entity

You must provide notification to the covered entity without unreasonable delay and include all information the CE needs for downstream notices. If some details are pending, send an initial alert promptly and follow with supplemental updates as they become available.

Subcontractors and agents

Ensure subcontractors that handle PHI are bound by written agreements mirroring HIPAA duties and require them to notify you of any incident. Your duty to notify the CE includes incidents originating with those subcontractors.

Definition of Breach Under 45 CFR 164.410

Presumption and exceptions

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA (an impermissible disclosure) that compromises its privacy or security. An impermissible disclosure is presumed a breach unless you show, through a documented assessment, a low probability that the PHI was compromised. Exceptions include good-faith, unintentional access within scope by authorized workforce, inadvertent disclosure between authorized persons, and incidents where the unauthorized recipient could not reasonably retain the information.

Breach risk assessment factors

• Nature and extent of PHI involved (identifiers, sensitivity, and volume).
• Identity of the unauthorized person who used the PHI or to whom disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which risk has been mitigated (e.g., confirmed deletion, encryption, or retrieval).

Unsecured vs. secured PHI

If PHI was properly encrypted or otherwise secured, the incident may fall outside breach notification obligations. When data is unsecured, apply the assessment above to decide whether notification is required.

Required Notification Content

Core elements to include

• A concise description of what happened, including the breach date and the date of discovery, if known.
• The types of PHI involved (for example, names, addresses, dates of birth, medical record numbers, diagnoses, or financial data).
• Identification of affected individuals to the extent possible, enabling the CE to notify them.
• Steps individuals should take to protect themselves, as applicable (credit monitoring, password changes, fraud alerts).
• What you are doing to investigate, mitigation steps taken, and measures to prevent future occurrences.
• Contact information for follow-up questions (a toll-free number, email, or postal address).
• Whether a subcontractor was involved and any relevant details needed for the CE’s notices.

Practical tips for clarity

• Use plain language; avoid acronyms without definitions.
• Share known facts quickly, then supplement; do not wait for a completed root-cause analysis before the initial notice.
• Align content with your business associate agreement (BAA) and the covered entity’s notification templates.

Timeline and Deadlines for Notification

When the clock starts

The breach is “discovered” on the first day you know of it—or would have known with reasonable diligence. Knowledge by any workforce member or agent is imputed to you, so train teams to escalate immediately.

The 60-day outer limit and “without unreasonable delay”

You must notify the covered entity without unreasonable delay and in no case later than 60 calendar days after discovery. Many BAAs set shorter timeframes (often 24–72 hours) for initial notice, so review your contracts. If details are incomplete, send an interim notice and update as facts develop; do not delay pending full quantification.

Breach notification timeline example

• Day 0–1: Discover incident, contain, start breach risk assessment, preserve evidence.
• By Day 3–5: Provide initial notification to the covered entity with known facts and planned next steps.
• By Day 10–15: Deliver updates, preliminary individual list, and early mitigation steps.
• No later than Day 60: Provide complete information or remaining supplements required by the CE.

Relationship Between Business Associates and Covered Entities

Business associate agreements (BAAs)

BAAs operationalize 45 CFR 164.410 by defining who does what, setting reporting channels, and often imposing faster internal deadlines. They also require safeguards, workforce training, subcontractor flow-downs, and documentation to support HIPAA compliance.

Agency and discovery

Agency status affects the covered entity’s own timelines. If you are an agent of the CE, the CE may be deemed to discover the breach when you do, making rapid escalation essential for downstream notices to individuals, regulators, and, if applicable, the media.

Coordination and documentation

Coordinate facts, affected populations, and messaging with the CE early. Maintain a case file with assessment results, mitigation steps, and communications, enabling accurate individual notification and demonstrating compliance during audits.

Conclusion

In short, 45 CFR 164.410 requires you to act fast: contain the incident, assess risk, mitigate, and deliver timely, complete notification to the covered entity. Clear procedures, trained teams, and strong BAAs keep your breach notification timeline tight and your HIPAA compliance defensible.

FAQs.

What triggers a breach notification under 45 CFR 164.410?

The duty to notify is triggered when you discover, or should have discovered with reasonable diligence, a breach of unsecured PHI. An impermissible disclosure is presumed a breach unless a documented breach risk assessment shows a low probability that the PHI was compromised, or an explicit HIPAA exception applies.

How soon must a business associate notify a covered entity of a breach?

Notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. Many BAAs require a much faster initial alert—often within 24–72 hours—so escalate quickly and supplement your notice as additional details emerge.

What information must be included in the breach notification?

Provide a description of what happened (including breach and discovery dates), the types of PHI involved, identification of affected individuals to the extent possible, steps individuals should take, your mitigation steps and preventive measures, relevant subcontractor details, and contact information for questions.

Who is responsible for notifying affected individuals under HIPAA?

Under HIPAA, the covered entity is generally responsible for notifying affected individuals. A BAA may delegate individual notification tasks to the business associate, but the CE remains accountable for ensuring notices meet content and timing requirements.