HIPAA Breach Notification Checklist: Reporting Requirements, Content, and Examples

Breach Definition and Risk Assessment

A HIPAA breach is an impermissible acquisition, access, use, or disclosure of unsecured Protected Health Information that compromises its security or privacy. “Unsecured” means the PHI was not rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, through strong encryption or proper destruction).

Upon discovery, you must promptly determine whether notification is required by completing a documented risk assessment. Evaluate four core Risk Assessment Factors to decide if there is a low probability that PHI was compromised:

• Nature and extent of PHI involved (identifiers, clinical details, financial or Social Security numbers, images).
• The unauthorized person who used or received the PHI (e.g., a covered entity vs. a member of the public).
• Whether the PHI was actually acquired or viewed (as opposed to exposure without access).
• The extent to which the risk has been mitigated (e.g., obtaining a signed attestation of destruction or confirming unopened mail returned).

Examples to guide your analysis

• Lost, unencrypted laptop containing patient schedules and diagnoses: likely a breach requiring notification.
• Misdirected email with lab results to a non-authorized recipient who confirms deletion without viewing: risk may be mitigated but still requires assessment and documentation.
• Ransomware encrypts a file server with PHI: treat as a security incident that is presumed a breach unless your assessment shows a low probability of compromise.
• Stolen paper records with names and medical record numbers: likely a breach; evaluate scope, retrieval, and mitigation efforts.

Exceptions to Breach Notification

HIPAA recognizes specific Breach Notification Exceptions. If any of these apply and are supported by your documentation, notification is not required:

• Unintentional access or use by a workforce member acting in good faith within the scope of authority, with no further impermissible disclosure.
• Inadvertent disclosure from one authorized workforce member to another within the same covered entity (or business associate), without further impermissible use or disclosure.
• Disclosure where the recipient could not reasonably have retained the information (for example, a sealed envelope returned unopened or unreadable media).

Practical examples

• A nurse opens the wrong chart but immediately closes it and reports the error; no further use occurs—exception may apply.
• A billing specialist emails a patient list to an authorized colleague in compliance who deletes it immediately—exception may apply.
• A discharge summary is briefly posted in a public area and quickly removed after being photographed—exception likely does not apply because the information could be retained.

Notification to Affected Individuals

If notification is required, the covered entity must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. A business associate must notify the covered entity without unreasonable delay and provide all available details so the covered entity can notify individuals. Law enforcement may request a delay when notification would impede an investigation; honor any valid delay request and document it.

Use first-class mail to the individual’s last known address, or email if the individual has agreed to electronic notice. If the individual is deceased, notify the next of kin or personal representative when known and appropriate.

Required content of the individual notice

• A brief description of what happened, including the date of the breach and the date of discovery (if known).
• The types of PHI involved (for example, names, addresses, diagnoses, treatment information, account numbers).
• Steps the individual should take to protect themselves (e.g., monitoring accounts, placing fraud alerts, changing passwords).
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• Contact procedures, including a toll-free number, email, or postal address for questions.

Substitute notice

• Fewer than 10 individuals with insufficient or out-of-date contact information: use an alternative form of notice (e.g., telephone).
• 10 or more individuals with insufficient or out-of-date contact information: provide a conspicuous website posting or major print/broadcast media notice for at least 90 days and include a toll-free number active for the same period.

Short example (individual letter)

On October 2, 2025, we learned that a stolen, unencrypted laptop may have contained your name, date of birth, and treatment information. The theft occurred on September 30, 2025. We have no evidence of misuse, but we recommend monitoring your accounts and considering a fraud alert. We have reported the incident, implemented device encryption, and enhanced access controls. If you have questions, call 1-800-000-0000 or email privacy@provider.example.

Notification to the Secretary

Follow the Secretary Notification Timeline based on breach size:

• 500 or more affected individuals: notify the Secretary without unreasonable delay and no later than 60 calendar days after discovery.
• Fewer than 500 affected individuals: log the breach and submit to the Secretary no later than 60 days after the end of the calendar year in which the breach was discovered (typically by March 1 of the following year).

Include details such as the covered entity or business associate involved, number of individuals affected, type and location of the breach, types of PHI, mitigation steps, and contact information. Maintain confirmation of submission for your compliance records.

Media Notification Requirements

If a breach involves more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery. This is in addition to individual notices.

Media Notification Criteria mirror the individual notice content: describe the incident and dates, list PHI types, outline steps individuals can take, explain your mitigation and prevention actions, and provide reliable contact methods. Use clear, non-technical language and coordinate timing with individual notifications.

Examples

• A billing system incident affecting 750 residents of County A requires press outreach to major print or broadcast outlets serving County A, plus individual letters.
• A phishing incident affecting 300 residents of State X and 250 residents of State Y does not require a single-state media notice, but still requires individual notices and Secretary notification within 60 days of discovery because the total exceeds 500 individuals.

Documentation and Compliance

Maintain Breach Documentation Requirements for at least six years. Your records should allow you to demonstrate compliance to regulators and auditors.

What to keep

• Incident reports, investigation notes, and time-stamped discovery records.
• Risk assessments showing analysis of the four factors and your determination.
• Copies of all notifications (individuals, Secretary, media), mailing/email proofs, and any law enforcement delay requests.
• Policies and procedures for breach response, workforce training logs, sanction records, and corrective action plans.
• Business associate agreements, vendor notifications, and chain-of-custody documentation for devices or media.

Operational checklist

• Contain the incident, secure systems, and preserve evidence.
• Assemble your privacy, security, and legal teams; notify leadership.
• Complete and document the risk assessment; decide whether notification is required.
• Prepare notices with required content; coordinate timelines and approvals.
• Submit Secretary and media notifications when applicable; track deadlines.
• Implement corrective actions and monitor their effectiveness.

Encryption Safe Harbor

Encryption Safe Harbor Provisions state that breaches involving PHI secured according to recognized encryption or destruction standards generally are not reportable because the data is not “unsecured.” Effective measures include:

• Encryption at rest using strong, validated cryptographic modules and sound key management.
• Encryption in transit (for example, modern TLS) for email and data transfers.
• Proper destruction of paper (cross-cut shredding) and electronic media (methods aligned with current data sanitization guidance).

Safe harbor does not apply if encryption was absent, improperly implemented, or if keys were compromised. A password alone is not equivalent to encryption. If ransomware encrypts already encrypted PHI and you can show no unauthorized access occurred, notification may not be required; document your analysis thoroughly.

In practice, full-disk encryption on laptops and mobile devices, encrypted backups, and rigorous key management can prevent common reportable incidents such as device theft or loss.

Putting it all together: a strong HIPAA Breach Notification Checklist helps you quickly assess incidents, identify Breach Notification Exceptions, meet the Secretary Notification Timeline and Media Notification Criteria, maintain robust documentation, and leverage safe harbor through effective encryption. Clear procedures and consistent execution reduce risk, cost, and regulatory exposure while protecting patients’ trust.

FAQs

What constitutes a breach under HIPAA?

A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. Unless an exception applies or your risk assessment documents a low probability of compromise, you must treat the incident as a breach and proceed with notification.

When must affected individuals be notified of a breach?

Notify individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. If law enforcement determines notification would impede an investigation, you may delay consistent with their request. Use first-class mail or agreed-upon email, and provide substitute notice if contact information is insufficient.

How soon must the Secretary be notified after a breach?

For breaches affecting 500 or more individuals, notify the Secretary without unreasonable delay and within 60 days of discovery. For fewer than 500 individuals, record the incident and submit it no later than 60 days after the end of the calendar year in which the breach was discovered.

What information must be included in breach notifications?

Each notice should describe what happened (including relevant dates), list the types of PHI involved, outline steps individuals should take to protect themselves, explain what you are doing to investigate and mitigate the breach and prevent recurrence, and provide clear contact methods such as a toll-free number or email.