Breach Notification Under HITECH HIPAA Omnibus Rule: OCR Guidance and Requirements

If you create, receive, maintain, or transmit protected health information, the HITECH HIPAA Omnibus Rule defines how to recognize and report a breach. This guide explains OCR expectations so you can act quickly, meet each notification timeframe, and reduce enforcement risk.

Breach Definition and Presumption

What counts as a breach

A breach is an acquisition, access, use, or impermissible disclosure of unsecured protected health information (PHI) that violates the HIPAA Privacy Rule. Under the Omnibus Rule, there is a breach notification rebuttable presumption: any impermissible disclosure is presumed a breach unless you demonstrate, through a documented risk assessment, a low probability that PHI has been compromised.

Exceptions and safe harbor

• Unintentional access or use by a workforce member acting in good faith and within scope, with no further use or disclosure.
• Inadvertent disclosure between authorized persons at the same covered entity or business associate, without further impermissible disclosure.
• Good-faith belief that the unauthorized recipient could not reasonably retain the information.

Breaches only involve unsecured PHI. If PHI is rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, through strong encryption or proper destruction), it is not considered a breach of unsecured PHI.

Conducting Risk Assessment

Required risk assessment factors

Your decision to notify must be based on the four risk assessment factors, evaluated and documented for each incident:

• Nature and extent of PHI involved, including identifiers and the likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, verified destruction or return, or written assurances).

How to perform and document the analysis

Gather facts within hours, not days. Identify what data elements were involved, how they were protected, who accessed them, and how long exposure lasted. Record your rationale for each factor and preserve evidence; this documentation underpins the rebuttable presumption and supports audit readiness.

Mitigation and re-assessment

Immediately contain the incident: disable accounts, retrieve misdirected messages, and request written attestations of non-use. Reassess the factors after mitigation. If you cannot substantiate a low probability of compromise, treat the event as a reportable breach.

Notification Requirements for Covered Entities

Who must be notified

• Affected individuals or their personal representatives.
• The Secretary of HHS (OCR) via the breach reporting process.
• Prominent media outlets in the relevant state or jurisdiction if the breach affects 500 or more residents of that area.

Notification timeframe and method

Notify without unreasonable delay and in no case later than 60 calendar days after discovery. Discovery occurs on the first day the breach is known or would have been known with reasonable diligence. Use first-class mail or email (if the individual agreed to electronic notice). For imminent misuse, you may also use telephone or other urgent means.

Substitute and additional notice

If you lack current contact information for 10 or more individuals, provide substitute notice (such as website posting or media notice) for at least 90 days and maintain a toll-free number. If fewer than 10 individuals are unreachable, use an alternative method reasonably calculated to reach them.

Content of the notice

• Brief description of what happened, including the date of the breach and discovery.
• Types of PHI involved (for example, names, addresses, Social Security numbers, diagnoses).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate, and prevent future incidents.
• Contact information for questions (toll-free number, email, or postal address).

HHS and media notification specifics

• 500 or more affected individuals: notify HHS without unreasonable delay and no later than 60 days from discovery; notify media in the impacted state/jurisdiction.
• Fewer than 500 affected individuals: log the event and report to HHS within 60 days of the end of the calendar year.

Law enforcement delay and documentation

If law enforcement states that notification would impede an investigation or threaten national security, you must delay as directed. Maintain breach logs, copies of notices, risk assessment factors, and decisions for at least six years.

Business Associate Breach Obligations

Business associate responsibilities

Business associates must investigate incidents, perform the same risk assessment, and notify the covered entity without unreasonable delay and no later than 60 days after discovery. They must identify each affected individual to the extent possible and share information needed for the covered entity’s notices.

Subcontractors and contracts

Business associate responsibilities flow down to subcontractors that create, receive, maintain, or transmit PHI. Your business associate agreements must require incident reporting, cooperation, and security safeguards aligned with the Security Rule.

Operational expectations

• Maintain incident response procedures and a breach log that supports the notification timeframe.
• Use encryption and access controls to minimize unsecured PHI exposure.
• Provide timely updates as new facts emerge so the covered entity can finalize accurate notices.

Enforcement and Penalties by OCR

How OCR enforces

OCR conducts complaint-driven investigations, compliance reviews triggered by breach reports, and periodic audits. Findings can result in technical assistance, resolution agreements with corrective action plans, or civil money penalties.

Penalty framework

HIPAA penalties are tiered by culpability—from lack of knowledge to willful neglect—and are adjusted annually for inflation. Factors include the nature and extent of the violation, the number of individuals affected, and the entity’s history and cooperation.

Lessons from OCR enforcement actions

• Encryption and strong access controls significantly reduce breach risk and penalty exposure.
• Delays beyond the 60-day notification timeframe and inadequate risk assessment documentation are frequent findings.
• Comprehensive policies, workforce training, and prompt mitigation weigh favorably in enforcement outcomes.

Key Omnibus Rule Changes

Rebuttable presumption and four-factor analysis

The Omnibus Rule replaced the prior “harm” standard with the breach notification rebuttable presumption and codified the four risk assessment factors. You must document why PHI was not compromised or proceed with notification.

Expanded business associate scope and liability

The definition of business associate explicitly includes downstream subcontractors handling PHI. Business associates are directly liable for Security Rule compliance and certain Privacy Rule provisions, including breach notification duties.

Clarified notice content and processes

The Rule refined notice content elements, reinforced plain-language requirements, and aligned processes for substitute notice, media notice, and HHS reporting to support consistent consumer protection.

Compliance Deadlines and Implementation

Key historical dates

• Final Omnibus Rule published in 2013; effective March 26, 2013.
• General compliance date September 23, 2013.
• Transitional extension for certain pre-2013 business associate agreements through September 23, 2014.

Implementation roadmap

• Map PHI flows and identify where unsecured PHI exists; apply encryption and destruction standards.
• Establish incident intake, triage, and risk assessment procedures that operationalize the four factors.
• Pre-draft individual, media, and HHS notice templates; track the 60-day notification timeframe.
• Update business associate agreements to specify breach reporting and subcontractor obligations.
• Train workforce on impermissible disclosure scenarios and escalation paths; conduct tabletop exercises.
• Maintain documentation and a breach log to support OCR inquiries and annual reporting.

Conclusion

By applying the four risk assessment factors, honoring the rebuttable presumption, and executing timely, complete notices, you satisfy core Omnibus Rule expectations. Strong controls, clear contracts, and disciplined documentation lower breach likelihood and reduce exposure to OCR enforcement actions.

FAQs.

What constitutes a breach under the HITECH HIPAA Omnibus Rule?

A breach is any unauthorized acquisition, access, use, or impermissible disclosure of unsecured PHI that violates the Privacy Rule. Because of the breach notification rebuttable presumption, you must treat such events as breaches unless a documented risk assessment shows a low probability that the protected health information was compromised.

How should a risk assessment be performed for a suspected breach?

Analyze and document the four risk assessment factors: the nature and extent of PHI involved, who received or used it, whether it was actually acquired or viewed, and how effectively you mitigated risk. Collect evidence (for example, retrieval confirmations or attestations) and record your rationale for concluding whether notification is required.

When must covered entities notify affected individuals?

You must notify without unreasonable delay and no later than 60 calendar days after discovery. Use first-class mail or agreed email, provide substitute notice if contact information is insufficient, and include all required content elements so individuals can act to protect themselves.

What are the penalties for non-compliance with OCR guidelines?

OCR may impose civil money penalties under HIPAA’s tiered structure, require corrective action plans via resolution agreements, and monitor ongoing compliance. Penalties consider culpability, impact, cooperation, and timeliness, including adherence to the 60-day notification timeframe and quality of your documentation.