Beginner’s Guide: The Basics of the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule sets the ground rules for how covered entities and their business associates respond when Protected Health Information (PHI) is compromised. This beginner’s guide explains what counts as a breach, who you must notify, when, and how to reduce risk and stay compliant.

Use this overview to build a practical response plan, strengthen safeguards for Unsecured PHI, and understand the consequences of failing to notify affected individuals, the media, and the Department of Health and Human Services (HHS).

Definition of a Breach

What the rule considers a breach

A breach is any acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA that compromises the security or privacy of the information. A breach is presumed unless you document, through a risk assessment, a low probability that the PHI has been compromised.

The four-factor risk assessment

• Nature and extent of PHI involved, including identifiers and the likelihood of re-identification.
• Who used or received the PHI (e.g., another covered entity vs. an unknown third party).
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (e.g., obtaining a satisfactory destruction or return of data).

Unsecured PHI vs. secured PHI

The rule applies to Unsecured PHI—PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals (for example, through strong encryption or proper destruction). If PHI is properly secured, the safe harbor generally means no breach notification is required.

Regulatory exceptions

• Unintentional, good-faith access or use by a workforce member within scope of authority with no further impermissible use or disclosure.
• Inadvertent disclosure between authorized persons within the same covered entity, business associate, or organized health care arrangement.
• A good-faith belief that the unauthorized recipient could not reasonably have retained the information.

Notification Requirements for Covered Entities

Individual notification

Covered Entities must notify affected individuals without unreasonable delay. Notices are sent by first-class mail (or email if the individual agreed) and must be in plain language with enough detail to help people protect themselves.

Required content of the notice

• A brief description of what happened, including the breach date and date of discovery.
• The types of PHI involved (for example, name, date of birth, diagnosis, account number).
• Steps individuals should take to protect themselves.
• What the entity is doing to investigate, mitigate harm, and prevent future incidents.
• How to contact the entity for more information (toll-free number, email, website, or postal address).

Business associate involvement

Business Associates must notify the Covered Entity of breaches of PHI they create, receive, maintain, or transmit. Their notice must identify each affected individual (to the extent possible) and provide other information the Covered Entity needs to complete its notifications.

HHS Notification overview

Covered Entities must also provide HHS Notification via the HHS breach reporting process, with timing based on the number of individuals affected. Details appear in the timing section below.

Media Notification Criteria

Media notification is required when a breach involves 500 or more residents of a single state or jurisdiction. In that case, the Covered Entity must notify prominent media outlets serving that area, typically through a press release that mirrors the individual notice content and includes clear contact information.

Media notice supplements—not replaces—individual notices. It raises public awareness so potentially affected residents who cannot be reached individually still learn of the incident.

Notification Timing and Procedures

General timing standard

All required notifications must occur without unreasonable delay and in no case later than 60 calendar days after discovery. A breach is “discovered” when it is known—or reasonably should have been known using reasonable diligence—by the Covered Entity or Business Associate.

HHS Notification timing

• 500 or more individuals affected: notify HHS without unreasonable delay and no later than 60 calendar days after discovery.
• Fewer than 500 individuals affected: log the breach and submit HHS Notification no later than 60 days after the end of the calendar year in which the breach was discovered.

Business Associate to Covered Entity

Business Associates must notify the Covered Entity without unreasonable delay and no later than 60 calendar days after discovery, supplying details sufficient for the Covered Entity to notify individuals, HHS, and (if applicable) the media.

Methods of individual notification

• Primary: first-class mail or email (if the individual has agreed to electronic notice).
• Urgent situations: telephone or other means may supplement written notice if imminent misuse is likely.
• Substitute notice for insufficient contact information: for fewer than 10 individuals, use alternative means (e.g., phone or email). For 10 or more, post a conspicuous website notice or use major print/broadcast media in areas where affected individuals likely reside; include a toll-free number active for at least 90 days.

Law enforcement delay

If a law enforcement official determines that notice would impede a criminal investigation or cause damage to national security, the entity must delay notifications for the time specified by the official.

Security Measures to Prevent Breaches

Administrative safeguards

• Conduct an enterprise-wide HIPAA risk analysis and implement risk management plans.
• Enforce minimum necessary access, workforce training, and sanctions for violations.
• Manage vendors through robust Business Associate Agreements and ongoing due diligence.
• Maintain and test an incident response plan and breach playbooks (including decision trees and escalation paths).

Technical safeguards

• Encrypt PHI at rest and in transit; use strong key management to avoid Unsecured PHI.
• Implement multi-factor authentication, role-based access, and timely patching.
• Use audit logging, intrusion detection, data loss prevention, and endpoint protection.
• Harden backups, segment networks, and verify secure disposal of media and devices.

Physical safeguards

• Control facility access, secure workstations and portable devices, and prevent tailgating.
• Use clean-desk policies, locked storage, and documented media handling and destruction.

Documentation and Record-Keeping Requirements

Maintain Breach Documentation that supports every decision and action taken: incident reports, forensic findings, the four-factor risk assessment, copies of individual and media notices, and proof of HHS Notification submissions or annual logs.

Retain HIPAA policies and procedures, training records, sanction logs, Business Associate Agreements, and evidence of mitigation for at least six years. Keep a breach log for incidents affecting fewer than 500 individuals to support the annual HHS submission.

Document any law enforcement delay instructions and your rationale for timelines, so you can demonstrate reasonable diligence during audits or investigations.

Penalties for Non-Compliance

HHS’s Office for Civil Rights enforces the rule through a tiered framework of Civil Monetary Penalties based on the level of culpability (from reasonable cause to willful neglect) and whether timely corrective action occurred. Resolution agreements often include multi-year corrective action plans, monitoring, and reporting obligations.

Additional consequences can include contractual liability, state attorney general actions, and reputational harm. Strong governance, timely notifications, thorough Breach Documentation, and demonstrable mitigation are your best defenses during enforcement.

Key takeaway: classify and secure PHI, prepare to assess incidents quickly, notify individuals, HHS, and the media when required, and continuously improve safeguards to prevent future breaches.

FAQs.

What constitutes a breach under the HIPAA Breach Notification Rule?

A breach is an impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy. It is presumed a breach unless you document a low probability of compromise using the four-factor risk assessment. Exceptions apply for certain good-faith, inadvertent, and non-retained disclosures.

How soon must affected individuals be notified of a breach?

Covered Entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Use first-class mail or agreed-upon email, supplement with urgent outreach if misuse is likely, and follow substitute notice rules if contact information is insufficient.

When is media notification required?

Media notification is required when a breach affects 500 or more residents of a single state or jurisdiction. The Covered Entity must notify prominent media outlets serving that area with a notice that mirrors the individual notice and includes clear contact information.

What are the penalties for failing to comply with the rule?

Non-compliance can lead to Civil Monetary Penalties under a tiered framework, resolution agreements with corrective action plans, and possible state enforcement. Penalties escalate with higher culpability and delayed or inadequate corrective action.