HHS Office for Civil Rights Enforces the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule sets clear breach notification requirements when Protected Health Information is compromised. This guide explains how the HHS Office for Civil Rights (OCR) enforces those requirements under the Health Insurance Portability and Accountability Act and what you need to do to stay compliant.

Overview of the HIPAA Breach Notification Rule

The Breach Notification Rule requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media, after a breach of unsecured Protected Health Information (PHI). “Unsecured” means the PHI was not rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, not encrypted to accepted standards or not properly destroyed).

A “breach” is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Three narrow exceptions exist: unintentional acquisition by a workforce member acting in good faith, inadvertent disclosure between authorized persons within the same entity, and situations where the unauthorized person could not reasonably retain the information.

The Rule works alongside the Privacy Rule and the Security Rule. While the Security Rule focuses on safeguarding electronic PHI (ePHI), the Breach Notification Rule governs what happens when protections fail and outlines your breach notification requirements.

Role of HHS Office for Civil Rights

OCR administers and enforces HIPAA, including the Breach Notification Rule. OCR receives breach reports through its portal, triages allegations, conducts investigations and Compliance Reviews, issues guidance, and negotiates resolution agreements and Corrective Action Plans (CAPs). When potential criminal violations arise, OCR refers matters to the Department of Justice.

Beyond investigation, OCR evaluates your overall compliance posture—policies, training, risk analyses, vendor management, and technical safeguards—because these elements often determine whether a breach occurred and how well you responded.

Enforcement Procedures and Compliance Reviews

How investigations begin

Cases typically start from: (1) breach reports submitted by covered entities or business associates, (2) complaints from patients or workforce members, or (3) OCR-initiated Compliance Reviews based on patterns or the size/nature of an incident. Any reported breach affecting 500 or more individuals is highly likely to receive closer scrutiny.

What OCR requests

Expect written data requests for policies and procedures, workforce training records, incident response documentation, security event logs, risk analysis and risk management documentation, Business Associate Agreements, and evidence of notifications made. OCR may conduct desk audits or onsite reviews.

Possible outcomes

Outcomes range from technical assistance and voluntary compliance to resolution agreements with multi‑year CAPs or Civil Monetary Penalties. CAPs commonly require you to update policies, complete a fresh enterprise-wide risk analysis, implement a risk management plan, retrain staff, and submit periodic reports to OCR for monitoring.

Documentation and retention

Maintain evidence of compliance and breach response for at least six years. Strong documentation often distinguishes isolated mistakes from systemic noncompliance during Compliance Reviews.

Civil Penalties for Non-Compliance

HIPAA’s Civil Monetary Penalties follow a four‑tier structure based on culpability: (1) no knowledge, (2) reasonable cause, (3) willful neglect corrected, and (4) willful neglect not corrected. Penalties apply per violation, with annual caps per violation category and amounts adjusted annually for inflation.

When calculating penalties, OCR weighs aggravating and mitigating factors, including the nature and extent of the breach, the sensitivity of PHI involved, the number of individuals affected, the duration of noncompliance, your history of compliance, the level of Risk Assessment and mitigation performed, and your financial condition.

Even when monetary penalties are not imposed, resolution agreements often require rigorous corrective actions and multi‑year monitoring that can be resource‑intensive. Early detection, prompt notification, and demonstrable Security Rule compliance materially reduce penalty exposure.

Risk Analysis Requirements

Security Rule risk analysis (enterprise-wide)

The Security Rule requires an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. You must inventory information systems, map where ePHI is created, received, maintained, or transmitted, evaluate threats and vulnerabilities, assess current controls, determine likelihood and impact, and document risk levels and remediation plans. Reassess periodically and whenever you experience significant changes (for example, new systems, mergers, or telehealth expansions).

Breach risk assessment (incident-specific)

After any impermissible use or disclosure, you must perform a breach risk assessment to determine the probability that PHI has been compromised. At minimum, evaluate: (1) the nature and extent of PHI involved, (2) the unauthorized person who used or received the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which risks have been mitigated. Unless you can demonstrate a low probability of compromise, breach notification is required.

Why these assessments matter

OCR examines both analyses during investigations. Inadequate enterprise risk analysis and poor risk management are recurring findings in enforcement actions. Strong, current analyses—paired with documented controls and remediation—are essential defenses.

Notification Obligations for Covered Entities

Triggering events

Notification is required for breaches of unsecured PHI. If PHI was encrypted to accepted standards or properly destroyed, the incident typically does not trigger notification.

Who to notify

• Individuals: Notify each affected person.
• HHS: Report through the breach portal.
• Media: If a breach affects 500 or more residents of a state or jurisdiction, notify prominent media outlets in that area.
• Business associates: Must notify the covered entity without unreasonable delay and provide information needed for individual notices.

Timelines

• Individuals: Without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: For 500 or more individuals, notify contemporaneously with individual notices; for fewer than 500, report no later than 60 days after the end of the calendar year in which the breaches were discovered.
• Business associates: Notify the covered entity without unreasonable delay and no later than 60 days from discovery, identifying each affected individual and other details.

Methods and content of notice

Provide written notice by first‑class mail or email if the individual has agreed to electronic notice. If you lack adequate contact information for fewer than 10 individuals, use alternative means; for 10 or more, provide substitute notice such as a website posting for at least 90 days and a toll‑free number. Notices must include a brief description of the incident, the types of PHI involved, steps individuals should take, what you are doing to investigate and mitigate, and contact information.

Recent Enforcement Actions and Settlements

Recent OCR actions show consistent themes: delayed breach notifications, failure to perform an enterprise‑wide risk analysis under the Security Rule, inadequate risk management, and insufficient vendor oversight (for example, missing Business Associate Agreements or weak monitoring). OCR has resolved matters involving both large health systems and small practices, underscoring that organization size does not shield you from enforcement.

Settlements range from tens of thousands to multi‑million dollars, typically paired with CAPs that require updated risk analyses, revised policies and procedures, enhanced access controls and audit logging, workforce training, vendor management improvements, and recurring independent assessments. Entities that self‑identify issues, move quickly to contain and mitigate, and document their actions fare better than those that delay.

Practical lessons

• Complete and update your enterprise risk analysis; tie it to a funded, time‑bound risk management plan.
• Test incident response and breach notification workflows so you can meet the 60‑day clock.
• Encrypt data at rest and in transit to qualify for the safe harbor when feasible.
• Harden vendor governance: current Business Associate Agreements, security due diligence, and event reporting clauses.
• Keep thorough records—OCR will ask for them during Compliance Reviews.

Conclusion

The HHS Office for Civil Rights enforces the HIPAA Breach Notification Rule by examining your readiness, your response, and your remediation. By conducting robust risk analyses, managing risks under the Security Rule, and meeting all breach notification requirements on time and in full, you materially reduce enforcement risk and protect patients’ trust.

FAQs

What entity enforces the HIPAA Breach Notification Rule?

The HHS Office for Civil Rights (OCR) enforces the HIPAA Breach Notification Rule, investigates reported breaches, conducts Compliance Reviews, and applies remedies ranging from technical assistance to Civil Monetary Penalties and corrective action plans.

How does OCR investigate breach notification violations?

OCR reviews breach reports and complaints, requests documentation (policies, training, risk analyses, incident logs, notices), and may conduct desk or onsite reviews. It evaluates timeliness and content of notices, Security Rule safeguards, vendor management, and overall compliance before determining corrective actions or penalties.

What penalties can result from HIPAA breach notification non-compliance?

Outcomes include resolution agreements with multi‑year corrective action plans and Civil Monetary Penalties based on a four‑tier structure tied to culpability. Penalties accrue per violation with annual caps, and amounts are adjusted annually for inflation.

What are the notification timelines required under the Breach Notification Rule?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Report breaches affecting 500 or more individuals to HHS at the same time you notify individuals; report smaller breaches to HHS no later than 60 days after the end of the calendar year. Notify the media when 500 or more residents of a state or jurisdiction are affected.