HIPAA Breach Notification Rule Explained: Requirements, Timelines, and Reporting Obligations

Breach Notification to Individuals

The HIPAA Breach Notification Rule requires Covered Entities to notify affected individuals following a breach of Unsecured Protected Health Information. Business Associates must notify the Covered Entity so that individual notice can be issued, and must share all information the Covered Entity needs to meet its obligations.

Notification timelines and methods

• Timing: Provide notice without unreasonable delay and no later than 60 calendar days after discovery of the breach. “Discovery” means the first day the breach is known or should reasonably have been known to the organization.
• Method: Send written notice by first‑class mail to the last known address. If the individual has agreed to electronic communications, you may use e‑mail.
• Urgent situations: If there is imminent risk of misuse, you may supplement written notice with phone or other immediate means.
• Personal representatives: Send notice to parents/guardians for minors and to personal representatives for incapacitated or deceased individuals (for deceased individuals, you may notify the next of kin or authorized agent).

Substitute notice when contact information is insufficient

• Fewer than 10 affected individuals: Provide substitute notice by an alternative method (for example, telephone, e‑mail, or other reasonable means).
• 10 or more affected individuals: Provide substitute notice via a conspicuous website posting or through major print or broadcast media in areas where affected individuals likely reside, and maintain a toll‑free number for at least 90 days.

State laws may impose shorter Notification Timelines; you should align your process to the most stringent requirement that applies.

Breach Notification to HHS

Covered Entities must notify the Secretary of Health and Human Services about breaches of Unsecured Protected Health Information. For incidents affecting 500 or more individuals, submit notice without unreasonable delay and no later than 60 calendar days after discovery. Business Associates notify the Covered Entity, which is responsible for reporting to HHS.

For smaller incidents, annual reporting rules apply; see “Reporting Breaches Affecting Fewer Than 500 Individuals.”

Media Notification Requirements

If a single breach involves 500 or more residents of a state or jurisdiction, you must provide Media Outlet Notification to prominent media in that area without unreasonable delay and no later than 60 calendar days after discovery. This is in addition to individual notice and reporting to HHS.

What to communicate to the media

Issue a press release or comparable statement that mirrors the content you provide to individuals, ensuring consistency and clarity. Coordinate timing so media notice does not precede individual notice unless necessary to protect individuals from imminent harm.

Content of Breach Notifications

All notices must be written in plain language and include at least the following:

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• The types of Unsecured Protected Health Information involved (for example, names, addresses, Social Security numbers, medical record numbers, diagnoses).
• Steps individuals should take to protect themselves (such as monitoring accounts or placing fraud alerts).
• What the Covered Entity or Business Associate is doing to investigate, mitigate harm, and prevent further incidents (for example, resetting credentials, enhancing monitoring, offering credit protection, retraining staff).
• How individuals can obtain more information, including a contact point with a toll‑free number, e‑mail address, website, or postal address.

Exceptions to Notification Obligations

Three narrow exceptions to “breach”

• Unintentional acquisition, access, or use of PHI by a workforce member or person acting under authority, in good faith, within scope, and without further impermissible use or disclosure.
• Inadvertent disclosure by an authorized person to another authorized person within the same Covered Entity, within an Organized Health Care Arrangement, or between a Covered Entity and a Business Associate, when not further used or disclosed impermissibly.
• Disclosure where the recipient could not reasonably have retained the information (for example, a misdirected mailing returned unopened).

Risk Assessment and the “low probability of compromise” standard

If an impermissible use or disclosure occurs, perform a documented Risk Assessment. Evaluate at least: (1) the nature and extent of PHI involved (including likelihood of re‑identification), (2) the unauthorized person who used/received the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated. If you can demonstrate a low probability that the PHI has been compromised, notification is not required. Keep documentation to show how you reached this determination.

Encryption Safe Harbor Provisions

Breaches involving PHI that is properly secured—typically through strong encryption or destruction in line with HHS guidance and recognized NIST standards—do not constitute breaches of Unsecured Protected Health Information. In those cases, notification is generally not required.

When safe harbor applies

• Encrypted laptops, mobile devices, servers, or backups where encryption keys were not compromised.
• PHI that has been destroyed so it is unusable, unreadable, or indecipherable.

Limits to safe harbor

• If encryption keys or credentials are compromised, safe harbor may not apply.
• Partial or improperly implemented encryption may leave PHI “unsecured.”

Reporting Breaches Affecting Fewer Than 500 Individuals

Even for small incidents, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Additionally, maintain a log of such breaches and report them to the Secretary of Health and Human Services no later than 60 days after the end of the calendar year in which they were discovered.

Documentation and retention

Maintain your breach log, Risk Assessment records, and copies of notices. Retain required documentation for the period HIPAA mandates (commonly six years) to demonstrate compliance.

Example timeline

If you discover a breach on March 10, 2025, notify individuals by May 9, 2025 (60 calendar days). If fewer than 500 individuals are affected, include the incident on your annual log and submit it to HHS by March 1, 2026 (60 days after December 31, 2025).

Key takeaways

• Act quickly: start containment, complete a Risk Assessment, and meet Notification Timelines.
• Notify the right audiences: individuals, the Secretary of Health and Human Services, and media when thresholds require it.
• Harden data: strong encryption and proper destruction invoke safe harbor and reduce notification exposure.
• Document everything: decisions, notices, mitigation steps, and annual reports.

FAQs

What is the timeline for notifying individuals after a HIPAA breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering the breach. Provide written notice by mail (or e‑mail if the individual has agreed), and use substitute notice if contact details are insufficient. Some state laws require faster notice; follow the shortest applicable deadline.

When must breaches be reported to the Department of Health and Human Services?

For incidents affecting 500 or more individuals, report to the Secretary of Health and Human Services without unreasonable delay and no later than 60 calendar days after discovery. For incidents affecting fewer than 500 individuals, log them and submit the annual report to HHS within 60 days after the end of the calendar year.

Are there exceptions to the HIPAA breach notification rule?

Yes. Three narrow exceptions apply: certain good‑faith internal uses, inadvertent disclosures between authorized persons, and disclosures where the recipient could not reasonably retain the information. In addition, if a documented Risk Assessment shows a low probability of compromise, notification is not required. Law enforcement can also request a temporary delay in notice to avoid impeding an investigation.

How does encryption affect breach notification requirements?

If PHI was encrypted or destroyed in accordance with HHS guidance, it is not considered Unsecured Protected Health Information, and the incident typically does not trigger notification. However, if encryption keys or credentials are compromised, or encryption was not properly implemented, safe harbor may not apply.