HIPAA Breach Notification Rule: Purpose, Requirements, and Compliance Explained

Overview of the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule sets national standards for what you must do when unsecured Protected Health Information (PHI) is compromised. It applies to Covered Entities (health plans, health care providers, and health care clearinghouses) and their Business Associates that create, receive, maintain, or transmit PHI on their behalf.

The rule’s purpose is straightforward: ensure timely, transparent communication to affected individuals, the Office for Civil Rights (OCR), and, in some cases, the media. If PHI is secured—rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, via strong encryption)—the event generally does not trigger notification.

• Focus: prompt, accurate notice to reduce harm from misuse of PHI.
• Scope: incidents involving unsecured PHI held by Covered Entities and Business Associates.
• Core tasks: investigate, perform a Breach Risk Assessment, follow Breach Notification Timelines, and document decisions.

Breach Definition and Risk Assessment

What counts as a breach?

A breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI. The rule presumes a breach has occurred unless you can demonstrate a low probability that the PHI has been compromised.

Three regulatory exceptions

• Unintentional acquisition, access, or use of PHI by a workforce member or person acting under authority, in good faith, within scope of employment.
• Inadvertent disclosure by an authorized person to another authorized person within the same organization (or Business Associate) where both are permitted to access the PHI.
• Good-faith belief that the unauthorized recipient could not reasonably have retained the information.

Breach Risk Assessment: the four factors

To overcome the presumption of breach, document a Breach Risk Assessment addressing:

• Nature and extent of PHI involved (types of identifiers, sensitivity, and likelihood of re-identification).
• The unauthorized person who used the PHI or to whom the disclosure was made (and their relationship to you).
• Whether the PHI was actually acquired or viewed.
• The extent to which risk has been mitigated (for example, prompt retrieval, reliable destruction, or valid confidentiality assurances).

Discovery and when the clock starts

The “discovery” date is when the breach is known—or would have been known with reasonable diligence—by the organization. From discovery, Breach Notification Timelines begin, regardless of when you complete the assessment confirming a breach.

Notification Requirements and Timelines

Who must be notified

• Affected individuals: required for all reportable breaches.
• OCR (HHS): required for all reportable breaches; timing depends on the number of affected individuals.
• Media: required when a breach affects 500 or more residents of a single state or jurisdiction.

Deadlines you must meet

• Individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• OCR: for breaches involving 500 or more individuals, within 60 days of discovery; for fewer than 500, report within 60 days after the end of the calendar year in which the breach was discovered.
• Media: if 500+ residents of a state or jurisdiction are affected, without unreasonable delay and no later than 60 days after discovery.

How to notify

• Method: written notice by first-class mail or by email if the individual has agreed to electronic notice.
• Substitute notice: if contact information is insufficient, provide alternative notice; when 10 or more individuals lack valid contact details, use a conspicuous website posting or major media, and include a toll-free number active for a set period to assist callers.
• Content: a clear description of what happened (including dates), the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate harm, and contact information.
• Law enforcement delay: you may delay notifications if an authorized official determines notice would impede a criminal investigation or damage national security.

Roles of Covered Entities and Business Associates

Covered Entities are ultimately responsible for providing notifications to individuals, the media (when applicable), and OCR. Business Associates must notify the Covered Entity without unreasonable delay—no later than 60 days after discovery—and provide details to support the Covered Entity’s notices, including identification of affected individuals and the nature of the PHI involved.

Business Associate Agreements should specify reporting timeframes (often shorter than the regulatory maximum), required incident details, cooperation in investigation and mitigation, and downstream obligations for subcontractors. Both parties must coordinate messaging to ensure accuracy and consistency.

Enforcement and Penalties

OCR enforces the Breach Notification Rule through complaint reviews, breach investigations, audits, and technical assistance. Noncompliance can result in civil monetary penalties under a tiered framework tied to culpability, with per-violation amounts and annual caps adjusted for inflation. Willful neglect not corrected within required timeframes carries the highest exposure.

Criminal enforcement may apply to knowing wrongful disclosures of PHI, including offenses committed for commercial advantage, personal gain, or malicious harm. Beyond Civil and Criminal Penalties, OCR often resolves matters through corrective action plans, monitoring, and settlements that require specific program improvements.

Risk Mitigation Strategies

Preventive controls

• Encrypt PHI at rest and in transit to take advantage of the encryption “safe harbor.”
• Harden access: multifactor authentication, least-privilege access, role-based controls, and timely termination of access.
• Data loss prevention and audit logging to detect exfiltration and inappropriate access.
• Vendor risk management: due diligence, Business Associate Agreements, and ongoing oversight of subcontractors.

Response readiness

• Maintain and test an incident response plan with clear breach triage, documentation, decision-making, and approval workflows.
• Train your workforce regularly on Privacy and Security Rule requirements and reporting channels.
• Prepare notification templates and contact data hygiene processes to speed accurate outreach.
• Document everything: the incident, your Breach Risk Assessment, mitigation steps, and final determinations.

Reporting to Regulatory Authorities

Report breaches to the Office for Civil Rights according to the thresholds and timelines described above. Provide accurate counts, dates of breach and discovery, types of PHI involved, a description of the incident, mitigation measures, and your corrective actions. Maintain a log of smaller breaches to submit after year-end and ensure records retention supports future audits or investigations.

Keep in mind that HIPAA requirements operate alongside state data breach laws. Where both apply, follow the most protective standard and meet each law’s timelines and content requirements.

Conclusion

The HIPAA Breach Notification Rule requires you to act quickly and transparently when unsecured PHI is compromised. Determine whether a breach occurred through a documented Breach Risk Assessment, meet all Breach Notification Timelines, coordinate roles between Covered Entities and Business Associates, and strengthen controls to reduce future risk.

FAQs.

What triggers the HIPAA Breach Notification Rule?

The rule is triggered by the acquisition, access, use, or disclosure of unsecured PHI in violation of the Privacy Rule that compromises the security or privacy of the information. A breach is presumed unless your documented Breach Risk Assessment shows a low probability of compromise or a regulatory exception applies; encrypted PHI meeting recognized standards generally falls outside the notification requirement.

Who must comply with the breach notification requirements?

Both Covered Entities and Business Associates must comply. Covered Entities notify affected individuals, OCR, and—in some cases—the media. Business Associates must notify the Covered Entity without unreasonable delay and provide the information needed for required notices; subcontractors must report incidents to the upstream Business Associate or Covered Entity per their agreements.

What are the deadlines for notifying affected individuals?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. If contact details are insufficient, you must provide substitute notice and additional outreach consistent with the rule; for large incidents, you may also need media notice within the same 60-day window.

How does OCR enforce HIPAA breach notifications?

OCR investigates reported breaches and complaints, requests documentation (including your Breach Risk Assessment and policies), and can impose civil monetary penalties or require corrective action plans and monitoring. For egregious or willful violations, matters can involve Civil and Criminal Penalties under applicable statutes.