HIPAA Breach Notification Requirements: When and How to Notify Individuals

Individual Notification Procedures

When notification is required

PHI Breach Notification is required when there is a breach of unsecured protected health information. “Unsecured” means the data was not properly encrypted or destroyed according to accepted standards. If a documented risk assessment shows a low probability that PHI was compromised, notification may not be required; otherwise, Covered Entity Notification to each affected individual is mandatory.

Breach Discovery Timeline

The clock starts the day the breach is discovered—or should have been discovered with reasonable diligence—by the covered entity or its business associate. You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Knowledge by any workforce member or agent (other than the person who committed the incident) counts as organizational knowledge.

Method of delivery

Send written notice by first-class mail to the individual’s last known address. You may use email if the individual has agreed to electronic communications. If there’s imminent risk of harm, you may supplement the written notice with a telephone call or other immediate contact to mitigate risk.

Special recipients and documentation

If the individual is a minor, incapacitated, or deceased, notify the personal representative or next of kin as appropriate. Document your Breach Discovery Timeline, the decision to notify, the content of notices, and the dates sent. Retain evidence of all attempts at Covered Entity Notification for your compliance files.

Secretary Notification Deadlines

For breaches affecting 500 or more individuals, notify the Secretary of Health and Human Services without unreasonable delay and in no case later than 60 days from discovery. For breaches affecting fewer than 500 individuals, keep a log and submit it to the Secretary within 60 days after the end of the calendar year in which the breaches were discovered.

These obligations are in addition to individual notices. Use the designated breach reporting portal to submit required details, ensuring accuracy and consistency with your individual notifications.

Media Notification Obligations

If a single breach involves more than 500 residents of a state or jurisdiction, you must provide Media Outlet Notification to prominent media in that state or jurisdiction. This is typically done via a press release and must occur without unreasonable delay and no later than 60 days after discovery.

Media notice does not replace individual notices; it supplements them. The content should mirror the information provided to individuals and should reach outlets that effectively serve the affected geography.

Substitute Notice Methods

Substitute Notice Obligations for fewer than 10 individuals

When contact information is insufficient or out of date for fewer than 10 affected individuals, you may use an alternative form of notice such as telephone, an email to a different address, or other reasonable means.

Substitute Notice Obligations for 10 or more individuals

If contact information is insufficient for 10 or more affected individuals, provide a conspicuous website home-page posting for at least 90 days or notice in major print or broadcast media in areas where affected individuals likely reside. Include a toll-free number active for at least 90 days so individuals can determine whether their information was involved.

Business Associate Breach Reporting

Business Associate Reporting to the covered entity must occur without unreasonable delay and no later than 60 days after discovery. The business associate must provide, to the extent possible, the identification of each affected individual and the information the covered entity needs to complete PHI Breach Notification.

Contracts may require faster reporting than HIPAA’s outer limit. While a covered entity may delegate the task of issuing notices to a business associate by agreement, the covered entity remains ultimately responsible for overall compliance.

Content Requirements for Notices

Every notice—whether to individuals, media, or the Secretary—should be written in plain language and include enough detail to help people protect themselves. At minimum, ensure the following elements are present:

• A brief description of what happened, including the date of the breach and the date it was discovered.
• A description of the types of unsecured PHI involved (for example, names, addresses, dates of birth, account numbers, Social Security numbers, or clinical information).
• Steps affected individuals should take to protect themselves (such as monitoring accounts, placing fraud alerts, or changing passwords).
• A brief description of what the organization is doing to investigate, mitigate harm, and prevent future incidents.
• Contact information for questions or assistance, including a toll-free number and at least one additional method such as email, website, or postal address.

You may delay notifications if a law enforcement official states that notice would impede a criminal investigation or threaten national security. Keep written documentation of any requested delay and resume notification promptly once the delay period ends.

Conclusion

To comply with HIPAA Breach Notification Requirements, act quickly after discovery, deliver clear notices to individuals, the Secretary, and media when required, and use substitute methods if direct contact fails. Strong coordination with business associates and precise, plain-language content ensure timely, defensible compliance.

FAQs.

What deadlines must covered entities meet for breach notification?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Notify the Secretary within 60 days for breaches affecting 500 or more individuals, and for smaller breaches no later than 60 days after the end of the calendar year in which they were discovered.

How should covered entities notify individuals of a breach?

Provide written notice by first-class mail to the last known address or by email if the individual has agreed to electronic communications. For urgent situations posing imminent harm, supplement with a phone call or similar immediate outreach.

What triggers media notification requirements?

Media notification is required when a single breach affects more than 500 residents of a state or jurisdiction. You must issue Media Outlet Notification to prominent outlets serving that area without unreasonable delay and within 60 days of discovery, in addition to individual notices.

How does a business associate report a breach to a covered entity?

The business associate must notify the covered entity without unreasonable delay and no later than 60 days from discovery, providing, to the extent possible, the identities of affected individuals and all information the covered entity needs to complete required notifications.