Breach Notification Rule Requirements and Enforcement: What HHS OCR Expects

Breach Notification Rule Applicability

The Breach Notification Rule applies to Covered Entities (health plans, health care providers, and health care clearinghouses) and their Business Associates that create, receive, maintain, or transmit Protected Health Information (PHI). It governs what happens when unsecured PHI is compromised, regardless of whether the PHI is electronic or on paper.

The Rule is triggered by the discovery of a potential breach. “Discovery” occurs on the first day the incident is known—or reasonably should have been known through reasonable diligence—by the organization or any of its agents. The obligation to notify hinges on whether the PHI was “unsecured,” meaning it was not rendered unusable, unreadable, or indecipherable to unauthorized individuals.

Entities are expected to maintain policies, workforce training, and an incident response plan that supports prompt investigation, documentation, and notification consistent with the Breach Notification Rule.

Definition of Breach

A breach is an acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI. There is a presumption of breach unless you demonstrate a low probability that the PHI has been compromised based on a documented risk assessment.

The required risk assessment

• Nature and extent of PHI involved (including types of identifiers and likelihood of re-identification).
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, assurances of destruction or retrieval).

Narrow exceptions

• Unintentional, good-faith access or use by a workforce member within scope of authority.
• Inadvertent disclosure between authorized persons within the same organization (or organized health care arrangement).
• Situations where the recipient could not reasonably have retained the information.

If none of the exceptions apply and the risk assessment does not demonstrate a low probability of compromise, you must provide breach notifications.

Notification Requirements

Notifying affected individuals

Provide written notice to each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery. Use first-class mail or email if the individual has agreed to electronic notice. For urgent situations involving possible imminent misuse, telephone or other immediate methods may supplement the written notice.

Content of the individual notice

• A brief description of what happened, including the breach and discovery dates (if known).
• The types of PHI involved (for example, names, dates of birth, diagnoses, claim information).
• Steps individuals should take to protect themselves.
• What your organization is doing to investigate, mitigate harm, and prevent recurrence.
• Contact information (toll-free number, email, or postal address) for questions.

Substitute and media notice

If contact information for fewer than 10 individuals is insufficient or out of date, you may use alternative notice such as phone, email, or other means. If contact information for 10 or more individuals is insufficient or out of date, post a conspicuous notice on your website home page or provide notice in major print or broadcast media, and maintain a toll-free number for at least 90 days. If a breach involves more than 500 residents of a single state or jurisdiction, you must also notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery.

Reporting to HHS

Breaches affecting 500 or more individuals

Notify the Secretary of Health and Human Services without unreasonable delay and in no case later than 60 calendar days from discovery. You must submit details through the HHS breach reporting portal and be prepared to provide updates if new information emerges.

Breaches affecting fewer than 500 individuals

Maintain a log of such breaches and report them to HHS no later than 60 days after the end of the calendar year in which they were discovered. Retain documentation—including your risk assessment and notifications—for at least six years, consistent with HIPAA’s record-retention requirements.

Accuracy and completeness

Reports should include the number of individuals affected, a description of the incident, the location of the PHI, the types of information involved, mitigation steps, and plans to prevent future occurrences. Ensure the information is accurate and consistent with notices sent to individuals and, where applicable, the media.

Business Associate Responsibilities

Business Associates must notify the Covered Entity of a breach without unreasonable delay and no later than 60 calendar days after discovery. The notice should identify each affected individual (to the extent possible) and include information the Covered Entity needs to fulfill its notice obligations.

Business Associates must also evaluate and document incidents, conduct the four-factor risk assessment, mitigate harm, and ensure subcontractors that handle PHI agree to the same breach reporting duties. Contracts (Business Associate Agreements) should define reporting timelines, required content, and coordination for investigation and remediation.

Encryption Safe Harbor

PHI is not considered “unsecured” if it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals through methods recognized by HHS—most commonly, strong encryption for electronic PHI and proper destruction for paper or media. When PHI meets these standards, notification is not required because no breach of unsecured PHI has occurred.

What qualifies and when it does not

• Encryption must align with industry-recognized standards and be properly implemented with effective key management. Data at rest and in transit should be encrypted.
• Destruction must render PHI incapable of being reconstructed (for example, shredding paper or sanitizing media per recognized guidance).
• Safe harbor does not apply if encryption keys are compromised, encryption is misconfigured, or only partial data elements are protected leaving PHI exposed.

Enforcement Actions

The HHS Office for Civil Rights enforces the Breach Notification Rule. OCR investigates reported breaches and complaints, reviews risk assessments and policies, and evaluates whether notifications were timely, complete, and well-documented.

Common outcomes include resolution agreements featuring Corrective Action Plans and, in some cases, Monetary Settlements. OCR may also impose civil money penalties when appropriate, considering factors such as the number of individuals affected, the sensitivity of the PHI, the duration of noncompliance, and the organization’s history of compliance.

To meet OCR expectations, conduct an enterprise-wide risk analysis, implement encryption, train your workforce, test incident response procedures, document every step of your breach assessment, and notify on time with complete, consistent information. Doing so reduces harm to individuals and significantly mitigates regulatory exposure.

FAQs.

Which federal entity enforces the Breach Notification Rule?

The HHS Office for Civil Rights enforces the Breach Notification Rule, investigating incidents, requiring Corrective Action Plans where needed, and pursuing Monetary Settlements or civil money penalties when violations are found.

What are the notification timelines for breaches?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500 or more individuals, report to HHS within the same 60-day window; for fewer than 500, log them and report to HHS no later than 60 days after the end of the calendar year. Business Associates must notify the Covered Entity within 60 calendar days of discovering a breach.

How does the Encryption Safe Harbor affect breach reporting?

If PHI is properly encrypted (or destroyed) in line with recognized methods and the encryption keys are not compromised, the incident does not involve unsecured PHI, and Breach Notification Rule reporting is not required. If encryption is absent, misconfigured, or the keys are exposed, safe harbor does not apply and notification obligations may attach.