HIPAA Breach Notification Rule: Content Requirements, Risk Assessment, and Examples

Breach Definition and Exceptions

Under the HIPAA Breach Notification Rule, a breach is the acquisition, access, use, or disclosure of unsecured Protected Health Information (PHI) in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. PHI is “unsecured” when it is not protected by an accepted method that renders the data unusable, unreadable, or indecipherable to unauthorized individuals.

Three narrow exceptions mean an incident is not a breach: (1) unintentional acquisition, access, or use by a workforce member acting in good faith within scope of authority; (2) inadvertent disclosure between authorized persons within the same covered entity or organized health care arrangement; and (3) a good faith belief that the unauthorized recipient could not reasonably retain the information.

Illustrative examples

• Lost, unencrypted laptop containing patient rosters and diagnoses: typically a breach requiring notification.
• Nurse emails lab results to the wrong clinician within the same clinic and promptly deletes them on receipt: often an exception, if both are authorized and no further use occurs.
• Employee snooping in a neighbor’s record without a job need: breach with disciplinary action and notifications.
• Misdirected patient bill recovered immediately from the wrong mailbox, unopened, with documentation of retrieval: may not be a breach if the information was not retained.

Risk Assessment Criteria

Even when an impermissible use or disclosure occurs, you must conduct a Breach Risk Assessment to determine whether there is a low probability that the PHI has been compromised. Document the analysis and outcome for Regulatory Compliance.

Four required factors

• Nature and extent of PHI involved, including types of identifiers and the risk of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made, and their obligations to protect confidentiality.
• Whether the PHI was actually acquired or viewed, or only the opportunity existed.
• The extent to which the risk has been mitigated, such as obtaining satisfactory assurances of destruction or return.

A breach is presumed unless the assessment supports a low probability of compromise. Maintain written assessments, decisions, and supporting evidence for at least six years as part of Covered Entity Obligations.

Applying the factors: quick example

A fax with a patient’s name and appointment time goes to another provider bound by confidentiality and is immediately destroyed. The limited data, recipient’s status, and mitigation may support a “no breach” conclusion with full documentation.

Notification Timing and Procedures

Notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Discovery occurs on the first day the breach is known, or would have been known by exercising reasonable diligence; knowledge by any workforce member or agent counts. Notification Timeliness is a core compliance element.

Methods of individual notice

• Written notice by first-class mail to the last known address; email is permitted if the individual has agreed to electronic notice.
• Urgent situations posing imminent misuse may also warrant telephone or other immediate contact in addition to written notice.
• If there is insufficient or out-of-date contact information:
  • For fewer than 10 individuals: provide an alternative form of notice (e.g., telephone, email, or other means).
  • For 10 or more individuals: post a conspicuous website notice for at least 90 days or use major print/broadcast media where affected individuals likely reside, and maintain a toll-free number active for at least 90 days.

Business associate to covered entity

Business associates must notify the covered entity without unreasonable delay and no later than 60 days from discovery, including the identification of each affected individual and any available details needed for individual notices.

Law enforcement delay

If a law enforcement official determines that notice would impede a criminal investigation or damage national security, you must delay notification for the time specified. An oral request allows a temporary delay (up to 30 days) while you obtain a written statement.

Notification Content Requirements

Your notice must be clear, concise, and written in plain language. Include only the details necessary to inform and protect individuals; avoid disclosing additional PHI.

Required elements

• A brief description of what happened, including the date of the breach and the date of discovery (if known).
• A description of the types of information involved (for example, names, addresses, Social Security numbers, account numbers, diagnoses, treatment information).
• Steps individuals should take to protect themselves (e.g., monitoring accounts, placing fraud alerts, password changes).
• A description of what you are doing to investigate the breach, mitigate harm, and prevent future incidents.
• Contact procedures for individuals to ask questions or learn more (toll‑free number, email address, or postal address).

Reporting to HHS and Media

In addition to individual notices, you have distinct reporting obligations to HHS and, in some cases, the media. These Media Notification Requirements apply based on breach size and location of affected individuals.

• Breaches affecting 500 or more residents of a single state or jurisdiction: notify HHS and prominent media in that state or jurisdiction without unreasonable delay and no later than 60 days from discovery.
• Breaches affecting fewer than 500 individuals: log the incident and submit to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.

Media notices should include the same core elements as individual notices and be issued in a manner reasonably calculated to reach affected residents. Maintain proof of publication and all submissions for audit readiness.

Encryption and Safe Harbor

If PHI is secured using recognized Encryption Standards or is properly destroyed, an incident may fall under HIPAA’s “safe harbor,” and breach notification is not required. To qualify, encryption must render the data unusable, unreadable, or indecipherable to unauthorized individuals, with appropriate key management.

What “secured” means in practice

• Electronic PHI: strong, industry-standard encryption (e.g., AES with appropriate key lengths) using FIPS-validated cryptographic modules; TLS for data in transit; robust key storage separate from the device.
• Paper or media: destruction that prevents reconstruction (e.g., shredding, pulping, or degaussing/wiping per accepted media sanitization practices).

Examples: a stolen laptop with full-disk encryption and segregated keys typically does not trigger notification; a thumb drive encrypted but with the password taped to it would not meet safe harbor. Always verify configurations and document decisions for Regulatory Compliance.

Mitigation and Response Strategies

Effective breach response limits harm and supports Covered Entity Obligations. Activate your incident response plan, assign roles, and work through containment, investigation, and recovery with clear documentation at each step.

Action checklist

• Contain and eradicate: disable compromised accounts, isolate affected systems, recover from clean backups, and apply patches.
• Preserve evidence: maintain logs, screenshots, forensic images, and timelines to support the Breach Risk Assessment.
• Support individuals: provide guidance and, where appropriate, offer credit monitoring or identity protection services.
• Remediate root causes: strengthen access controls, enforce minimum necessary, deploy encryption, and review Business Associate Agreements.
• Educate and enforce: retrain workforce on privacy/security policies and apply sanctions when appropriate.
• Document and review: record decisions, notices, reporting dates, and mitigation steps; perform a post-incident review to improve Notification Timeliness and overall Regulatory Compliance.

Conclusion

The HIPAA Breach Notification Rule requires prompt action, thorough Breach Risk Assessment, and precise communications. By understanding definitions and exceptions, meeting timing and content requirements, leveraging encryption safe harbor, and executing strong mitigation, you protect patients, fulfill legal duties, and strengthen organizational resilience.

FAQs.

What constitutes a HIPAA breach under the notification rule?

A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy, unless one of the limited exceptions applies or a documented assessment shows a low probability of compromise.

How soon must affected individuals be notified of a breach?

You must notify individuals without unreasonable delay and no later than 60 calendar days after discovery, using first‑class mail or agreed‑upon email, with substitute notice if contact information is insufficient.

What information is required in a breach notification?

Provide a brief description of the incident and discovery dates, the types of data involved, steps individuals should take, what you are doing to investigate and mitigate, and clear contact information for questions.

When must breaches be reported to HHS?

For breaches affecting 500 or more residents of a state or jurisdiction, report to HHS within 60 days of discovery. For fewer than 500 individuals, log and submit to HHS no later than 60 days after the end of the calendar year.