HIPAA Breach Notification Rule Compliance Checklist for Covered Entities and Business Associates

Use this compliance checklist to operationalize the HIPAA Breach Notification Rule for incidents involving Protected Health Information (PHI). It aligns your Privacy Rule compliance program, clarifies notification timelines, and defines how covered entities and business associates coordinate under the Department of Health and Human Services (HHS) framework.

Breach Notification Requirements

Confirm the incident is a reportable breach

• Determine whether there was an impermissible acquisition, access, use, or disclosure of unsecured PHI.
• Apply the breach exceptions: good-faith, within-scope access; inadvertent disclosure between authorized persons; or where the recipient could not reasonably retain the information.
• If PHI was properly encrypted or otherwise “secured” consistent with recognized guidance, apply the safe harbor (not a reportable breach).

Start the notification clock at discovery

• Record the date of discovery—the point when you knew, or by exercising reasonable diligence should have known, of the breach.
• Use this date to manage all notification timelines and internal deadlines.

Identify who must be notified

• Individuals: Notify each affected person (or their personal representative).
• HHS Secretary: Report via the prescribed process; timing depends on the number of affected individuals.
• Media: If the breach involves 500 or more residents of a single state or jurisdiction, provide media notice to prominent outlets there.

Follow the required methods of notice

• Written notice by first-class mail to the last known address, or by email if the individual has agreed to electronic notice.
• Urgent situations: Optional telephone or other expedient contact in addition to written notice.
• Substitute notice: If insufficient contact information exists—fewer than 10 individuals: alternative notice is permitted; 10 or more: conspicuous website posting or media notice for at least 90 days and a toll-free number.

Respect law enforcement delays

• Delay notifications when a law enforcement official states that notice would impede a criminal investigation or threaten national security.
• Document the request; if initially oral, the delay cannot exceed 30 days unless replaced by a written request specifying the time period.

Business Associate Obligations

Implement and enforce the Business Associate Agreement (BAA)

• Define breach reporting duties, including timelines, content, and points of contact.
• Require the business associate to identify affected individuals and provide details necessary for the covered entity’s notifications.
• Flow down the same obligations to subcontractors handling PHI.

Set practical notification timelines

• While HIPAA permits “without unreasonable delay and no later than 60 calendar days,” your BAA should set a shorter internal deadline (for example, 24–72 hours for initial notice) so the covered entity can meet its obligations.
• Require ongoing updates as the investigation refines the scope and impact.

Coordinate investigation and remediation

• Establish a joint incident response plan: containment, forensics, Breach Risk Assessment, and corrective actions.
• Assign responsibility for drafting and issuing individual, media, and HHS notices.

Risk Assessment Procedures

Apply the four-factor Breach Risk Assessment

• Nature and extent of PHI: data elements involved (e.g., diagnoses, SSNs), volume, identifiability, and sensitivity.
• Unauthorized person: who used or received the PHI and their obligations to protect confidentiality.
• Whether PHI was actually acquired or viewed: evidence of access, exfiltration, or use.
• Mitigation: extent to which risk was reduced (e.g., prompt retrieval, validated deletion, strong contractual assurances).

Presume a breach unless you can demonstrate a low probability that the PHI has been compromised based on the totality of factors. Document your reasoning clearly.

Structure and document the assessment

• Record discovery date, incident narrative, systems and data affected, scope of individuals, and containment steps.
• Capture evidence: logs, screenshots, forensic reports, vendor attestations, and remediation tasks.
• Conclude with a determination (breach vs. not a breach) and any required notifications.

Notification Content Standards

Include all required elements in plain language

• What happened: a brief, factual description, including the date of the breach and date of discovery.
• Types of PHI involved: describe data elements (e.g., names, addresses, medical record numbers, diagnoses).
• Steps individuals should take: practical actions such as monitoring accounts, changing passwords, or placing fraud alerts when appropriate.
• What you are doing: mitigation efforts, security improvements, and steps to prevent future incidents.
• How to get help: clear contact information (toll-free number, email, postal address) and hours of operation.

Quality and consistency controls

• Use consistent language across individual letters, media statements, and HHS submissions.
• Limit disclosures to what is necessary to inform; do not include unnecessary PHI.
• Ensure translations and accessible formats where appropriate.

Enforcement and Penalties

Understand OCR enforcement

• The HHS Office for Civil Rights investigates complaints, breach reports, and conducts compliance reviews.
• Outcomes range from technical assistance and corrective action plans to Civil Monetary Penalties (CMPs).

Civil Monetary Penalties and settlement factors

• Four-tier penalty structure considers level of culpability, from lack of knowledge to willful neglect not corrected.
• Penalties are assessed per violation with annual caps by violation category and are adjusted for inflation.
• Aggravating/mitigating factors: number of individuals affected, duration, harm, history of noncompliance, financial condition, and post-incident cooperation.
• Demonstrated recognized security practices and swift remediation can reduce enforcement exposure.

State Law Considerations

Preemption and “more stringent” rules

• HIPAA sets a federal floor. More stringent state privacy laws are not preempted and must be followed.
• Separate state data breach statutes may apply to personal information beyond PHI and can impose additional duties.

Timelines and regulator notifications

• Many states require notification “without unreasonable delay” and some set outer limits (e.g., 30 or 45 days).
• Some states mandate notice to the state attorney general or other agencies at specific thresholds.
• For multi-state incidents, plan to meet the shortest applicable deadline and the most extensive content requirement.

Documentation and Record-Keeping

Maintain complete and durable records

• Retain policies, procedures, BAAs, training records, risk analyses, and incident response plans for at least six years.
• Keep a breach log for incidents affecting fewer than 500 individuals and submit the annual report to HHS within the required window.
• Archive copies of all notifications, assessment workpapers, forensic findings, and remediation evidence.

Operational readiness

• Run tabletop exercises and update playbooks to reflect evolving threats and lessons learned.
• Monitor vendor compliance and require proof of security controls and incident response capabilities.

Conclusion

This checklist integrates Breach Risk Assessment, Business Associate Agreement controls, and Notification Timelines into a single workflow. By documenting decisions, issuing complete notices, and aligning federal and state rules, you strengthen Privacy Rule compliance and reduce the likelihood and impact of Civil Monetary Penalties.

FAQs

What is the timeline for breach notification under HIPAA?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days from discovery. For incidents affecting 500 or more individuals in a single state or jurisdiction, you must also notify prominent media outlets within the same timeframe. Breaches affecting 500 or more individuals must be reported to the HHS Secretary without unreasonable delay and within 60 days of discovery; breaches affecting fewer than 500 individuals must be logged and reported to HHS no later than 60 days after the end of the calendar year in which they were discovered.

How should a risk assessment be conducted following a breach?

Conduct a Breach Risk Assessment using the four mandatory factors: the nature and extent of PHI involved; the unauthorized person who used or received the PHI; whether the PHI was actually acquired or viewed; and the extent of mitigation. Presume a breach unless you can show a low probability of compromise based on these factors. Document your methods, evidence, findings, and final determination.

What are the penalties for non-compliance with the HIPAA Breach Notification Rule?

OCR may require corrective actions and can impose Civil Monetary Penalties under a four-tier framework that scales with culpability and the severity of noncompliance. Penalties are assessed per violation, subject to annual caps by violation category, and are adjusted for inflation. Factors include the number of individuals affected, harm caused, duration, prior history, and the promptness and completeness of your response.

How do state breach notification laws interact with HIPAA requirements?

HIPAA establishes a federal baseline, but more stringent state privacy or breach laws remain in effect. Many states set shorter notification timelines and require attorney general or regulator notices. For incidents spanning multiple states, follow the strictest applicable standard while also meeting all HIPAA obligations to individuals, media (when required), and the HHS Secretary.