HIPAA Breach Notification Rule Guide: What Covered Entities Must Do

The HIPAA Breach Notification Rule requires covered entities and their business associates to notify specific parties when unsecured protected health information is compromised. This guide explains what you must do after breach discovery, how to meet media notification requirements, and how to maintain breach investigation documentation for covered entity compliance.

Notification Requirements for Affected Individuals

When you confirm or reasonably suspect an impermissible disclosure or use of unsecured protected health information (PHI) that is not otherwise excepted, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Notice must be written in plain language and delivered by first-class mail; email is permitted if the individual has agreed to electronic notice.

Required content of the individual notice

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• The types of PHI involved (for example, names, addresses, Social Security numbers, diagnoses, or account numbers).
• Steps individuals should take to protect themselves (such as monitoring accounts or placing fraud alerts).
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• Contact information for questions and assistance (toll-free number, email, postal address, or website).

Method and substitute notice

If you lack sufficient contact information for fewer than 10 individuals, provide substitute notice by alternative written means, telephone, or other appropriate method. If 10 or more individuals are unreachable, you must post a conspicuous notice on your website home page or provide notice in major print or broadcast media where the individuals likely reside, and maintain a toll-free number for at least 90 days.

For urgent situations involving possible imminent misuse, you may also provide telephone or other faster notice in addition to written notice.

Reporting Procedures to HHS

For incidents affecting 500 or more individuals, you must provide HHS Secretary notification without unreasonable delay and in no case later than 60 calendar days from breach discovery. For incidents affecting fewer than 500 individuals, you must log each breach and submit an annual report to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered.

What to prepare for the HHS report

• Covered entity and, if applicable, business associate details.
• Number of individuals affected and the jurisdiction(s) involved.
• A description of the breach circumstances and the types of PHI involved.
• Dates of breach and discovery, mitigation steps taken, and corrective actions.

Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach, and should provide the identities of affected individuals along with any information needed for individual and HHS Secretary notification.

Media Notification Obligations

If a breach affects more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. This is in addition to individual notices and the HHS Secretary notification.

The media notice should include the same core information provided to individuals: what happened, the types of unsecured protected health information involved, steps individuals should take, your mitigation efforts, and your contact information. Use a press release or similar communication likely to reach the affected community.

Compliance Policies and Procedures

Develop and maintain written policies that operationalize the Breach Notification Rule. Your program should define “breach,” outline decision-making steps, and embed controls to prevent impermissible disclosure of PHI. Align procedures with your security program, incident response plan, and sanctions policy to ensure covered entity compliance.

Risk assessment and the “low probability” standard

For every potential incident, document a breach risk assessment addressing: the nature and extent of PHI involved; the unauthorized person who used or received the information; whether the PHI was actually acquired or viewed; and the extent to which the risk has been mitigated. If you cannot demonstrate a low probability that PHI has been compromised, treat the incident as a reportable breach.

Securing PHI and safe harbor

Encrypt or otherwise render PHI unusable, unreadable, or indecipherable according to recognized guidance. Incidents involving properly secured PHI generally do not trigger notification duties, because the data is not considered unsecured protected health information.

Business associate management

Ensure business associate agreements require prompt reporting, cooperation in investigations, and timely provision of details needed for individual, media, and HHS Secretary notification. Define roles for forensics, containment, and mitigation.

Staff Training on Breach Reporting

Train your workforce to recognize and immediately report suspected incidents to the Privacy or Security Officer. Emphasize how to identify impermissible disclosure, how to preserve evidence, and what to avoid (e.g., further sharing of data).

Practical training elements

• Role-based scenarios on phishing, misdirected mail, lost devices, or unauthorized access.
• Clear internal escalation paths and timeframes for reporting potential breaches.
• Hands-on drills that practice breach discovery, containment, and documentation.
• Annual refreshers and training upon role changes or policy updates.

Documentation and Record Keeping

Maintain comprehensive breach investigation documentation, including your risk assessment, determination of whether notification was required, copies of notices, media releases, HHS submissions, mitigation steps, and corrective actions. Keep logs for incidents affecting fewer than 500 individuals for annual reporting.

Retain all HIPAA-required documentation, including policies, procedures, training records, sanction actions, and breach files, for at least six years from the date of creation or the date last in effect, whichever is later.

Timeline for Breach Notification

• Day 0: Breach discovery—the date the incident is known or should reasonably be known to your organization (including by agents or workforce members).
• Without unreasonable delay and no later than day 60: Send individual notices for reportable breaches.
• Within the same 60-day window: Provide HHS Secretary notification for breaches affecting 500 or more individuals.
• Within the same 60-day window: Issue press releases to meet media notification requirements if 500+ residents of a state or jurisdiction are affected.
• Annually, no later than 60 days after the end of the calendar year: Submit to HHS your log of breaches affecting fewer than 500 individuals.
• Business associates: Notify the covered entity without unreasonable delay and within 60 days of discovery, supplying details needed for downstream notifications.

Conclusion

Timely, complete notifications; a documented risk assessment; and strong policies, training, and record-keeping form the core of HIPAA Breach Notification Rule compliance. By standardizing your response from discovery through HHS and media notifications, you protect individuals, meet regulatory duties, and strengthen organizational trust.

FAQs.

What information must be included in a HIPAA breach notification?

Your notice should describe what happened (including dates), list the types of PHI involved, explain steps individuals should take to protect themselves, outline what you are doing to investigate and mitigate the breach and prevent recurrence, and provide clear contact information for questions and assistance.

How soon must affected individuals be notified of a breach?

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after breach discovery. If there is risk of imminent misuse, provide supplemental urgent notice (such as by phone) in addition to the required written notice.

When is media notification required?

If a breach affects more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. This is required in addition to individual and HHS notifications.

What are the penalties for non-compliance with the Breach Notification Rule?

HIPAA violations can result in civil monetary penalties that scale by culpability and can include corrective action plans and ongoing monitoring. Penalties increase with the scope of the breach, failure to notify, neglect of policies and training, or persistent non-compliance.