Breach Notification Under the HIPAA Omnibus Final Rule: Timelines and Steps

If you handle Protected Health Information (PHI), the HIPAA Omnibus Final Rule sets clear breach notification timelines and steps. This guide explains what counts as a breach, who you must notify, what to include, and how to stay aligned with Privacy Rule Compliance.

Breach Definition and Rebuttable Presumption

A breach is any impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. Under the Omnibus Final Rule, there is a rebuttable presumption that such an incident is a breach unless you demonstrate a low probability that PHI has been compromised.

Breach Risk Assessment

You must perform and document a Breach Risk Assessment using at least four factors: (1) the nature and extent of PHI involved, including identifiers and likelihood of re-identification; (2) the unauthorized person who used or received the PHI; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated.

Unsecured vs. secured PHI

Notification applies to unsecured PHI. If PHI is rendered unusable, unreadable, or indecipherable (for example, through strong encryption or proper destruction), the incident is not a breach that triggers notice. Always document your analysis to support the rebuttable presumption outcome.

Notification Requirements for Individuals

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. A breach is “discovered” on the first day it is known to you—or would have been known with reasonable diligence. Knowledge by any workforce member or agent (other than the person committing the breach) is imputed to the organization.

Notification Timelines and methods

• Primary method: Written notice by first-class mail to the individual (or personal representative). You may use email if the individual has agreed to electronic notice.
• Urgent situations: If possible misuse is imminent, you may also use telephone or other immediate means in addition to written notice.
• Substitute notice: If contact information for fewer than 10 individuals is insufficient, use an alternative method (e.g., phone or email). If contact information for 10 or more is insufficient, provide a conspicuous website posting for at least 90 days or notice in major print or broadcast media where individuals likely reside, plus a toll-free number active for at least 90 days.

Track and document your Notification Timelines, including the discovery date, decision points, and any corrective actions.

Notification Procedures for HHS

You must notify the Secretary of Health and Human Services through the designated electronic portal. The timing depends on the number of affected individuals.

• Breaches affecting 500 or more individuals: Notify the Secretary without unreasonable delay and no later than 60 calendar days from discovery.
• Breaches affecting fewer than 500 individuals: Log the incident and report it to the Secretary no later than 60 days after the end of the calendar year in which the breach was discovered.

Keep a breach log with key facts (discovery date, scope, mitigation) to support timely reporting and ongoing Privacy Rule Compliance.

Media Notification Obligations

If a breach involves 500 or more residents of a single state or jurisdiction, you must provide notice to prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. This is in addition to notifying individuals and the Secretary of Health and Human Services.

Media notices should be concise, accurate, and consistent with the individual notification content. Do not include PHI in the media announcement.

Business Associate Breach Reporting

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. Your business associate agreement may require a shorter deadline; meet the stricter standard if it applies.

• What the business associate provides: Identification of each affected individual (if known), a description of what happened, the types of PHI involved, the date of the breach and discovery, mitigation steps taken, and any additional information needed for the covered entity’s notices.
• Delegated notice: A covered entity may delegate individual or media notifications to a business associate, but the covered entity remains responsible for overall compliance.

Content Requirements for Notifications

Every notification must be written in plain language and include all required elements so individuals can protect themselves.

• A brief description of what happened, including the date of the breach and the date of discovery (if known).
• A description of the types of PHI involved (for example, names, addresses, dates of birth, account numbers, diagnoses).
• Steps individuals should take to protect themselves from potential harm.
• What you are doing to investigate the breach, mitigate harm, and prevent future incidents.
• Contact information for questions: a toll‑free number, email address, and/or postal address or website.

Ensure readability and accessibility (e.g., appropriate language access). Do not include any PHI in the notice itself beyond what is necessary to describe the incident.

Exceptions and Law Enforcement Delays

Three exceptions mean an impermissible use or disclosure may not be a breach: (1) unintentional good‑faith access or use by a workforce member within scope of authority with no further disclosure; (2) inadvertent disclosure between two authorized persons within the same covered entity or business associate; and (3) a good‑faith belief that the unauthorized recipient could not reasonably have retained the information.

Law enforcement may request a delay if notice would impede a criminal investigation or threaten national security. A written request specifies the delay period; an oral request must be documented and allows a temporary delay of up to 30 days, pending written confirmation. Notification clocks resume when the delay ends.

Conclusion

To meet HIPAA’s breach standards, promptly assess incidents using the four-factor test, apply the rebuttable presumption, and follow clear Notification Timelines for individuals, the Secretary of Health and Human Services, and (when applicable) the media. Align your processes with Privacy Rule Compliance, maintain thorough documentation, and coordinate closely with business associates to ensure timely, complete notifications.

FAQs.

What is the definition of a breach under the HIPAA Omnibus Final Rule?

It is an impermissible acquisition, access, use, or disclosure of unsecured PHI presumed to compromise privacy or security, unless you demonstrate a low probability of compromise through a documented Breach Risk Assessment.

When must covered entities notify individuals of a breach?

Without unreasonable delay and no later than 60 calendar days after discovery, using first‑class mail (or email if the individual agrees). If contact information for 10 or more individuals is insufficient, provide substitute notice via website posting or major media plus a toll‑free number for at least 90 days.

How do business associates report breaches to covered entities?

They must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery, supplying known affected individuals, what happened, types of PHI involved, key dates, mitigation steps, and any additional details the covered entity needs for required notifications.

When is media notification required?

When a breach affects 500 or more residents of a single state or jurisdiction. The covered entity must notify prominent media outlets without unreasonable delay and within 60 calendar days, in addition to notifying individuals and the Secretary of Health and Human Services.