Breach Notification Rule Explained: HITECH and HIPAA Obligations for Organizations

Breach Definition and Exceptions

What counts as a breach

A breach is the acquisition, access, use, or disclosure of unsecured Protected Health Information (PHI) in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the information. Under the HITECH Act, a breach is presumed unless you demonstrate a low probability that PHI has been compromised.

When it is not a breach (exceptions)

• Unintentional access or use by a workforce member acting in good faith and within the scope of authority, where no further impermissible use or disclosure occurs.
• Inadvertent disclosure by a person authorized to access PHI to another authorized person within the same Covered Entity or Business Associate, with no further impermissible use.
• A good-faith belief that the unauthorized recipient could not reasonably have retained the information (for example, sealed mail returned unopened or unreadable files).

Secured vs. Unsecured PHI

The Breach Notification Rule applies only to Unsecured PHI. PHI rendered unusable, unreadable, or indecipherable to unauthorized individuals (for example, through strong encryption or proper destruction) is considered secured and does not trigger notification.

Risk Assessment Procedures

The four-factor analysis

To rebut the presumption of breach, you must document a risk assessment showing a low probability of compromise by considering:

• The nature and extent of PHI involved, including sensitivity (diagnoses, SSNs, financial data) and likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made, and their ability to re-identify or misuse it.
• Whether the PHI was actually acquired or viewed, or merely exposed.
• The extent to which the risk has been mitigated (for example, prompt retrieval, satisfactory assurances of destruction, or reset credentials).

Practical steps and documentation

• Immediately contain the incident, secure systems, and preserve logs and evidence.
• Identify what Unsecured PHI was involved, how many individuals were affected, and the time window of exposure.
• Interview involved personnel and vendors to determine root cause and scope.
• Document your analysis, decisions, and corrective actions; retain records for at least six years.
• Use the assessment to drive remediation and to set accurate notification timelines where required.

Individual Notice Requirements

Timing and methods

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Send written notice by first-class mail to the last known address, or by email if the individual has agreed to electronic notice. For deceased individuals, notify the next of kin or personal representative when contact information is available.

Content of the notice

• A brief description of what happened, including the breach date and discovery date.
• The types of PHI involved (for example, name, date of birth, clinical details, account numbers).
• Steps individuals should take to protect themselves (such as monitoring accounts or placing fraud alerts).
• What your organization is doing to investigate, mitigate harm, and prevent recurrence.
• How to reach you, including a toll-free number, email, or postal address.

Substitute and urgent notice

• If you lack contact information for fewer than 10 individuals, use alternative means such as telephone or other written notice.
• If you lack contact information for 10 or more individuals, provide substitute notice via a prominent web posting or major print/broadcast media in the affected area for at least 90 days and include a toll-free number active for the same period.
• For urgent situations requiring immediate action, you may also use telephone or other rapid methods in addition to written notice.

Law enforcement delay and notification timelines

If a law enforcement official states that notice would impede an investigation or cause damage to national security, you must delay notification for the time specified (or for a limited period if the request is not in writing). The 60-day outer limit still governs once the delay ends, so plan your Notification Timelines accordingly.

Media Notice Obligations

If a breach involves more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days from discovery. Media notice supplements, but does not replace, individual notices and should include the same core content.

Notice to the Secretary of Health and Human Services

For breaches affecting 500 or more individuals, notify the Secretary of Health and Human Services through the Office for Civil Rights (OCR) without unreasonable delay and within 60 calendar days of discovery. For breaches affecting fewer than 500 individuals, maintain a breach log and submit it to the Secretary no later than 60 days after the end of the calendar year in which the breaches were discovered.

Method and recordkeeping

Submit breach details using the designated reporting process and keep supporting documentation (risk assessments, notices, and mitigation records) for at least six years. Accurate counts, dates, and narrative summaries help OCR evaluate your HITECH Act Implementation and compliance posture.

Business Associate Notification Duties

Business Associates must notify the Covered Entity of a breach without unreasonable delay and no later than 60 calendar days after discovery. Contracts may require shorter Notification Timelines. The notice should identify each affected individual and include information the Covered Entity needs to provide compliant notices.

Content of a Business Associate notice

• Known facts about the incident, including dates and how it was discovered.
• Categories and sensitivity of Unsecured PHI involved.
• The number of individuals affected and jurisdictions of residence.
• Mitigation steps taken, systems secured, and confirmation of containment.
• Information about any subcontractor Business Associates involved.

Administrative and Training Requirements

Policies, safeguards, and workforce readiness

Implement and routinely update policies, procedures, and training that operationalize the Breach Notification Rule. Establish an incident response plan, document sanctions for noncompliance, and manage Business Associate Agreements. Align technical safeguards—encryption, access controls, monitoring, and rapid revocation of credentials—to reduce the likelihood that PHI remains Unsecured.

Practical compliance checklist

• Encrypt PHI in transit and at rest; securely dispose of media to avoid Unsecured PHI.
• Maintain a breach response playbook, notice templates, and media statements ready for use.
• Track Notification Timelines from the date of discovery; calendar key deadlines.
• Conduct periodic risk analyses, tabletop exercises, and post-incident reviews.
• Perform vendor due diligence and monitor subcontractor Business Associates.
• Retain breach-related documentation and training records for at least six years.

Conclusion

Define what constitutes a breach, execute a thorough risk assessment, and meet all notification obligations to individuals, the media, and HHS on time. Ensure Business Associate coordination, strengthen safeguards, and train your workforce. Doing so fulfills HIPAA and HITECH expectations and demonstrates responsible stewardship of PHI.

FAQs

What constitutes a breach under the HITECH Act?

A breach is an impermissible acquisition, access, use, or disclosure of Unsecured PHI that compromises its security or privacy. The rule presumes a breach unless your documented risk assessment shows a low probability of compromise. Certain good-faith, inadvertent, and non-retained disclosures are excluded.

How soon must individuals be notified after a breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. The clock starts when the breach is discovered (or should reasonably have been discovered). A documented law enforcement delay may temporarily pause notification, but you must proceed promptly once the delay ends.

When is media notification required?

Media notice is required when a breach involves more than 500 residents of a single state or jurisdiction. It must be provided without unreasonable delay and within 60 calendar days of discovery, and it supplements individual notices.

What penalties exist for failing to comply with breach notification rules?

Noncompliance can result in civil monetary penalties imposed by the Office for Civil Rights, corrective action plans, and ongoing monitoring. Penalties vary by the level of culpability and can be significant, with additional exposure from contractual remedies, reputational harm, and potential enforcement by other authorities.