HIPAA Breach Media Notification Requirements: When and How to Notify the Press

HIPAA Breach Notification Rule Overview

The HIPAA Breach Notification Rule requires covered entities and their business associates to notify individuals, the Department of Health and Human Services, and, in certain cases, the media after a breach of unsecured protected health information. Your responsibility is to assess incidents promptly, determine whether compromised data qualifies as unsecured PHI, and deliver clear notices that help affected people protect themselves.

Unsecured protected health information is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through methods such as strong encryption or proper destruction. If PHI is secured, the Breach Notification Rule generally does not apply.

What counts as a breach

A breach is an impermissible use or disclosure of PHI that compromises its security or privacy. Before concluding a breach occurred, you must document a risk assessment considering: the nature and extent of the PHI involved, the unauthorized person who used or received it, whether the PHI was actually acquired or viewed, and the extent to which risk has been mitigated. Limited exceptions (for example, certain good-faith, unintentional accesses within scope) may apply.

Discovery and timing

Discovery occurs on the first day the breach is known to you—or should reasonably have been known with the exercise of reasonable diligence. All notification timelines run from the discovery date.

Criteria for Media Notification

You must issue a prominent media outlet notification when a breach involves 500 or more residents of a single state or jurisdiction. The threshold is evaluated by where affected individuals reside, not where your organization is located. If a breach affects 500 or more residents in multiple states, you notify prominent media outlets serving each such state or jurisdiction.

If the breach affects fewer than 500 residents in every state or jurisdiction, a media notice to the press under this rule is not required, even if the total affected across all locations exceeds 500. However, other HIPAA obligations—and state breach laws—still apply.

Selecting “prominent” outlets

Choose media outlets with substantial reach in the relevant state or jurisdiction, such as major newspapers, television, radio, or widely read digital news outlets. Document your rationale to support breach notification rule compliance.

Required Content in Media Notices

The media notice should contain the same core elements required in individual notifications, presented in clear, plain language and without including any PHI:

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• The types of unsecured protected health information involved (for example, names, addresses, dates of birth, medical record numbers, treatment information, or insurance details).
• Steps affected individuals should take to protect themselves (such as monitoring accounts, placing fraud alerts, or changing passwords).
• What you are doing to investigate the incident, mitigate harm, and prevent future occurrences (for example, containment, enhanced security controls, or workforce retraining).
• How to obtain more information or assistance, including a toll-free number, email address, website, or postal address.

Avoid speculation, technical jargon, and operational details that could increase risk. Focus on accuracy, clarity, and actionable guidance.

Timeline and Reporting Deadlines

You must notify the media without unreasonable delay and in no case later than 60 calendar days after discovering a qualifying breach. The same outer 60-day deadline applies to notices to affected individuals. A law enforcement official may request a delay if notification would impede an investigation or cause harm; document any such request and align your timing accordingly.

Department of Health and Human Services reporting follows two tracks: for breaches affecting 500 or more individuals, submit to HHS without unreasonable delay and no later than 60 days from discovery; for fewer than 500 individuals, log the incident and report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.

Business associate timing

Business associates must notify the covered entity without unreasonable delay and no later than 60 days from discovery, supplying the identities of affected individuals and other details needed for the covered entity’s notices.

Steps for Complying with Media Notification

1) Confirm and scope the incident

Activate your breach communication protocols, contain the incident, and conduct the required risk assessment to determine whether unsecured PHI was compromised and whether the 500-resident threshold is met in any state or jurisdiction.

2) Align on messaging and content

Gather verified facts, draft the notice elements, and translate technical findings into plain language. Ensure statements are accurate, consistent, and limited to what is known at the time.

3) Select and brief outlets

Identify prominent media outlets serving each affected state or jurisdiction. Prepare a press release and, where appropriate, offer a media Q&A and designate a trained spokesperson to handle inquiries.

4) Meet deadlines and coordinate filings

Issue the media notice and individual notices without unreasonable delay and within 60 days of discovery. Complete Department of Health and Human Services reporting within the applicable timeframe. Track state law obligations that may impose additional content or timing requirements.

5) Support affected individuals

Stand up a call center or help desk, publish an information page, and provide remedies such as credit monitoring when appropriate. Keep messaging consistent across all channels.

6) Document and improve

Maintain records of decisions, drafts, approvals, outlets selected, and publication dates. After action, update policies, technical safeguards, and training to strengthen breach notification rule compliance.

Differences Between Media and Individual Notifications

• Trigger: Media notification is required only when 500 or more residents of a state or jurisdiction are affected. Individual notification is required for every breach of unsecured PHI, regardless of size (unless a documented risk assessment shows a low probability of compromise).
• Audience and purpose: Media notices inform the public rapidly at scale; individual notices provide personalized, actionable guidance to each affected person.
• Delivery: Media notices are issued to prominent outlets. Individual notices are delivered by first-class mail or email (if the individual has agreed).
• Substitute notice: If you lack contact information for 10 or more affected individuals, you must provide substitute individual notice (for example, a website posting or major media in areas where individuals likely reside). This is separate from the 500+ resident media requirement.
• Content depth: Individual notices typically contain more detail tailored to the person; media notices mirror core elements without disclosing PHI.

Best Practices for Communicating with the Media

• Prepare early: Build and test breach communication protocols, designate spokespeople, and pre-draft templates that align with covered entities responsibilities.
• Be clear and compassionate: Use plain language that explains what happened, what it means for people, and the concrete steps they can take.
• Coordinate tightly: Synchronize media statements with individual notices and Department of Health and Human Services reporting so facts and timelines match.
• Protect privacy: Never include PHI in public statements; limit detail to what is necessary and verified.
• Honor legal holds: If law enforcement requests a delay, document it and pause notifications as permitted.
• Localize outreach: Choose outlets with strong reach in each state or jurisdiction, and tailor examples or guidance to local concerns when appropriate.
• Follow through: Provide ongoing updates if new material facts emerge, and publish corrective statements promptly when needed.

FAQs

When must a covered entity notify the media about a HIPAA breach?

You must notify the media when a breach involves 500 or more residents of a single state or jurisdiction. In that case, provide a notice to prominent media outlets serving the affected area, in addition to notifying individuals and reporting to HHS.

What information is required in a HIPAA media notification?

Include a brief description of what happened (with breach and discovery dates, if known), the types of unsecured protected health information involved, steps individuals should take, what you are doing to investigate and mitigate the breach and prevent recurrence, and contact information for assistance. Do not include any PHI in the public notice.

How soon must the media be notified following a breach discovery?

Provide media notice without unreasonable delay and no later than 60 calendar days after you discover the breach. A documented law enforcement delay may extend this timeframe as permitted.

Does the media notification requirement apply to breaches affecting fewer than 500 individuals?

No. The prominent media outlet notification requirement applies only when 500 or more residents of a state or jurisdiction are affected. However, individual notifications and HHS reporting are still required, and substitute individual notice via media may be necessary if you cannot reach 10 or more affected individuals.