Breach Notification Rule Requirements Explained: Timelines, Notices, and Risk Assessment

Breach Notification Obligations

The Breach Notification Rule requires you to notify specific parties when unsecured protected health information is acquired, accessed, used, or disclosed in a manner not permitted by the Privacy Rule. By default, an impermissible disclosure is presumed to be a breach unless you demonstrate a low probability of compromise through a documented assessment.

Covered entities compliance begins with determining whether PHI involved was unsecured. If it was not rendered unusable, unreadable, or indecipherable, you must treat the event as a potential breach and immediately initiate your response plan, including containment, investigation, and risk evaluation.

Scope of responsibility

Covered entities must investigate incidents, perform the risk assessment, make the breach determination, and issue required notices. Business associates have parallel duties and must alert the covered entity promptly so you can meet breach notification timelines.

Limited exceptions

Three narrow exceptions may mean an impermissible disclosure is not a breach: unintentional access by an authorized workforce member acting in good faith, inadvertent disclosure between authorized persons within the same entity, and disclosures where you reasonably conclude the recipient could not retain the information. You must still document your analysis.

Documentation requirements

Maintain written policies, risk assessments, breach determinations, copies of notices, law enforcement delay statements, mitigation actions, training records, and your breach log for at least six years. Good documentation proves diligence and supports defensibility.

Enforcement and penalties

Failure to comply can lead to corrective action plans and civil monetary penalties. OCR evaluates the nature and extent of the violation, harm, and your compliance posture, including whether you had effective policies, encryption, and timely reporting.

Risk Assessment Procedures

Use the required 4-factor risk assessment to decide whether an incident likely compromised PHI. Your analysis should be objective, evidence-based, and sufficiently detailed to support your notification decision.

The four factors

• Nature and extent of PHI involved, including identifiers and likelihood of re-identification.
• Unauthorized person who used the PHI or to whom the disclosure was made, and their obligations to protect it.
• Whether the PHI was actually acquired or viewed (for example, based on access logs or forensic findings).
• The extent to which risks have been mitigated (such as obtaining satisfactory assurances of destruction or return).

If, after weighing these factors, you cannot show a low probability of compromise, you must provide breach notifications. Keep contemporaneous notes, evidence, and decision memos as part of your documentation requirements.

Unsecured protected health information

PHI is “unsecured” if it has not been encrypted or destroyed consistent with recognized guidance. If data were properly encrypted and the key was not compromised, the incident generally is not a breach and notification is not required.

Notification Deadlines

Clock start: the timeline runs from the date of discovery—the first day the breach is known or would have been known by exercising reasonable diligence. Treat knowledge by your workforce or agents (other than the person who committed the breach) as organizational knowledge.

Individuals

Notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Do not wait for full forensics to finish if that would push you past the deadline; you can supplement with additional information later.

Secretary of Health and Human Services

• 500 or more affected individuals: notify the Secretary without unreasonable delay and no later than 60 days from discovery.
• Fewer than 500 affected individuals: log the breach and submit to the Secretary no later than 60 days after the end of the calendar year in which the breach was discovered.

Media

If a breach affects 500 or more residents of a single state or jurisdiction, provide notice to prominent media outlets serving that area without unreasonable delay and within 60 days of discovery.

Notification Recipients

Individuals and methods

Send a written notice to each affected individual at the last known address by first-class mail, or by email if the individual has agreed to electronic notice. For deceased individuals, notify the next of kin or personal representative when appropriate.

Substitute notice

• Fewer than 10 individuals with insufficient contact information: use an alternative method such as telephone or email where possible.
• 10 or more individuals with insufficient contact information: post a conspicuous website notice or use major print/broadcast media for at least 90 days and provide a toll-free number active for the same period.

Content of the notice

Include a brief description of what happened (including dates), the types of information involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate harm, and how to contact you for more information.

Encryption and Safe Harbor Provisions

Encryption and destruction offer safe harbor when properly implemented. If PHI is encrypted consistent with strong, industry-recognized standards and the key remains secure, the information is not considered unsecured protected health information.

At rest and in transit

Apply tested encryption for data at rest (for example, full-disk or database encryption) and in transit (for example, TLS). Password protection alone is not equivalent to encryption. Also secure and separate encryption keys.

Destruction

For paper records, use shredding, burning, or pulverizing so PHI cannot be read or reconstructed. For media, use clearing, purging, or physical destruction consistent with current guidance.

Law Enforcement Delay Conditions

You may delay notifications if a law enforcement official states that notice would impede a criminal investigation or threaten national security. This is a narrow exception and must be tightly documented to support any law enforcement notification delay.

Form and duration of the delay

• Written request: delay for the time specified by the official.
• Oral request: you may temporarily delay for up to 30 days, unless a written request specifying a longer period is provided within that window.

Record the official’s name, agency, contact information, date and time of the request, and the requested delay period. Resume notifications immediately once the delay expires.

Business Associate Responsibilities

Business associates must identify, investigate, and mitigate incidents involving PHI and notify the covered entity without unreasonable delay and no later than 60 days after discovery. Your business associate agreement should specify reporting channels and required details.

What to include in a BA report

• Identification of each affected individual and, if known, the scope of PHI involved.
• What happened, including dates of occurrence and discovery.
• Whether the PHI was actually acquired or viewed, and mitigation steps taken.
• Any additional information the covered entity needs to complete individual and agency notices.

Subcontractors and flow-down

Business associates must ensure subcontractors that create, receive, maintain, or transmit PHI agree to the same protections and breach obligations, including prompt reporting back up the chain.

Liability and penalties

Business associates are directly liable for breaches and other violations and may face civil monetary penalties. Early engagement with the covered entity and thorough documentation demonstrate diligence and reduce enforcement risk.

Conclusion

Build a response program that prevents incidents through encryption, detects issues quickly, applies the 4-factor risk assessment, and meets breach notification timelines with precise, well-documented notices. Strong governance, tested procedures, and coordinated work with business associates are the pillars of reliable compliance.

FAQs

What is the timeline for breach notification?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days from discovery. For breaches affecting 500 or more individuals, you must also notify the Secretary and, when concentrated in one jurisdiction, the media within the same 60-day window. Smaller breaches must be logged and reported to the Secretary no later than 60 days after the end of the calendar year.

Who must be notified in a breach?

Notify each affected individual, the Secretary of Health and Human Services (immediately for large breaches or annually for small ones), and the media when 500 or more residents of a state or jurisdiction are affected. Use substitute notice if contact information is insufficient.

What factors are considered in the risk assessment?

Evaluate the nature and extent of PHI involved, the unauthorized person, whether the PHI was actually acquired or viewed, and the extent of mitigation. If you cannot show a low probability of compromise based on these four factors, notifications are required.

Can notification be delayed for law enforcement reasons?

Yes. You may delay notice if a law enforcement official states that notice would impede an investigation or threaten national security. A written request controls the duration; an oral request permits a temporary delay of up to 30 days unless replaced by a written request specifying a longer period.