HIPAA Breach Notification Rule Purpose: Requirements, Timelines, and Response Checklist

The HIPAA Breach Notification Rule sets the framework for how you, as a covered entity or business associate, must respond when unsecured protected health information is compromised. This guide clarifies core requirements, notification timelines, and practical Breach Notification Procedures so you can act quickly and compliantly.

Overview of HIPAA Breach Notification Rule

The Rule requires Covered Entities and their Business Associates to notify individuals, the U.S. Department of Health and Human Services (HHS), and sometimes the media after certain incidents involving Unsecured Protected Health Information. A “breach” is generally an impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy, unless a documented risk assessment shows a low probability of compromise.

Core principles

• Presumption of breach unless a risk assessment (nature of data, recipient, whether data was viewed/acquired, and mitigation) demonstrates low probability of compromise.
• Notifications must be provided without unreasonable delay and within defined deadlines.
• Documentation of decisions, actions, and timelines is essential for compliance.

Response Checklist

• Contain the incident: stop the leakage, secure systems, recover devices, and preserve logs.
• Launch a risk assessment: identify data elements, volume, recipients, and mitigation taken.
• Determine if Unsecured Protected Health Information is involved; if yes, apply notification requirements.
• Start Breach Notification Procedures: draft content, choose delivery methods, and plan any Substitution Notice.
• Calculate deadlines for individual notice, HHS reporting, and media notice (if applicable).
• Coordinate with Business Associates and law enforcement; document any Law Enforcement Delay.
• Implement remediation and preventive controls; retain records and assessments for at least six years.

Definition of Unsecured Protected Health Information

Protected Health Information (PHI) is “unsecured” when it has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through technologies or methodologies recognized by HHS (for example, strong encryption or proper destruction). If PHI is properly secured and the decryption key is not compromised, the Breach Notification Rule generally is not triggered.

Practical examples

• Lost unencrypted laptop containing ePHI: typically involves Unsecured Protected Health Information and triggers breach analysis.
• Properly encrypted database attacked but keys remain secure: typically not unsecured PHI and may not require notification.
• Paper records discarded without destruction: usually unsecured; secure disposal methods prevent this.

Notification Timelines and Deadlines

You must act “without unreasonable delay” and no later than 60 calendar days from discovery of a breach. Discovery occurs on the first day the breach is known, or by exercising reasonable diligence should have been known, to the Covered Entity or Business Associate.

Deadlines at a glance

• Individuals: written notice without unreasonable delay and no later than 60 days after discovery.
• HHS Secretary:
  • 500 or more affected individuals: within 60 days of discovery.
  • Fewer than 500: log and report to HHS no later than 60 days after the end of the calendar year in which the breach occurred.
• Media notice: if 500+ residents of a state or jurisdiction are affected, notify prominent media outlets within 60 days of discovery.
• Business Associate to Covered Entity: without unreasonable delay and no later than 60 days after the Business Associate discovers the breach (contract terms may require shorter timeframes).

Law Enforcement Delay

If a law enforcement official determines that notification would impede a criminal investigation or threaten national security, you must delay notice for the period requested. A written request specifies the delay period; an oral request must be documented and allows a temporary delay (with a written follow-up required for continued delay).

Content Requirements for Individual Notifications

Your individual notification must be clear, concise, and actionable. It should enable affected people to understand what happened and how to protect themselves.

Required elements

• A brief description of what happened, including the date of the breach and the date of discovery (if known).
• A description of the types of information involved (for example, names, addresses, dates of birth, medical record numbers, diagnoses).
• Steps the individual should take to protect themselves (such as monitoring accounts or placing fraud alerts).
• What your organization is doing to investigate, mitigate harm, and prevent future incidents.
• Contact procedures for more information (toll-free number, email, website, or postal address).

Clarity and accessibility

• Use plain language and avoid technical jargon.
• Offer alternative formats or languages, as appropriate, to ensure comprehension.
• Avoid including additional PHI in the notification itself.

Methods and Media Notification Criteria

Deliver individual notices by first-class mail to the last known address or by email if the individual has agreed to electronic notice. For deceased individuals, provide notice to the next of kin or personal representative when known.

Substitution Notice

• Fewer than 10 individuals with insufficient or outdated contact information: use an alternative method such as telephone, email, or other written notice.
• 10 or more individuals with insufficient or outdated contact information: provide substitute notice by a conspicuous website posting for at least 90 days or through major print or broadcast media in areas where affected individuals likely reside, and include a toll‑free number active for at least 90 days.
• Imminent misuse: you may use telephone or other expedient means in addition to written notice.

Media notification

• If a breach affects 500 or more residents of a state or jurisdiction, issue a media notice (such as a press release) in that area within 60 days of discovery.

Business Associate Breach Reporting

Business Associate Reporting Obligations require prompt escalation to the Covered Entity. A Business Associate must notify the Covered Entity without unreasonable delay and no later than 60 days after discovering a breach, and must identify each affected individual to the extent possible.

What Business Associates should provide

• A description of what happened and when it was discovered.
• The types of Unsecured Protected Health Information involved.
• Preliminary mitigation taken and additional steps underway.
• Names or other identifying information of affected individuals, if known, and any information the Covered Entity needs to meet notification requirements.
• Ongoing cooperation, including forensic findings, subcontractor coordination, and documentation for audits.

Enforcement and Penalties for Noncompliance

The HHS Office for Civil Rights enforces the Rule. Civil Monetary Penalties may apply on a per‑violation basis under a four‑tier structure (ranging from “did not know” to “willful neglect not corrected”), with annual caps per identical violation and amounts adjusted for inflation. Enforcement may also include resolution agreements and corrective action plans.

Factors that influence outcomes

• Nature and extent of the violation and resulting harm.
• Size, resources, and compliance history of the organization.
• Timeliness of breach discovery, mitigation, and notification.
• Effectiveness of risk management, training, and technical safeguards.

Practical risk‑reduction tips

• Encrypt data at rest and in transit; retire legacy systems that cannot be secured.
• Use least‑privilege access, MFA, and rapid account revocation.
• Test incident response and Breach Notification Procedures at least annually.
• Vet and monitor Business Associates; cascade security obligations to subcontractors.
• Document every decision, assessment, and notification step.

Conclusion

The HIPAA Breach Notification Rule centers on timely action, clear communication, and demonstrable risk management. By securing PHI, executing a disciplined response checklist, meeting all timelines, and coordinating with Covered Entities, Business Associates, and law enforcement when needed, you minimize harm, satisfy legal obligations, and reduce exposure to Civil Monetary Penalties.

FAQs

What qualifies as a breach under the HIPAA Notification Rule?

Generally, it is an impermissible acquisition, access, use, or disclosure of PHI that compromises privacy or security. The incident is presumed a breach unless a documented risk assessment shows a low probability of compromise. Certain narrow exceptions apply, such as good‑faith, unintentional access by authorized workforce members or disclosures where the recipient could not reasonably retain the information.

When must affected individuals be notified of a breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. The 60‑day clock starts on the date the breach is discovered, or should have been discovered with reasonable diligence.

What are the penalties for failing to comply with the Breach Notification Rule?

Enforcement by HHS OCR can include Civil Monetary Penalties under a four‑tier system, with per‑violation amounts and annual caps adjusted for inflation. OCR may also require corrective action plans and monitoring. Penalties increase with willful neglect and failures to correct.

Can notification be delayed for law enforcement reasons?

Yes. If a law enforcement official determines that notification would impede an investigation or threaten national security, notification may be delayed for the period requested. A written request specifies the delay; an oral request must be documented and is valid for a limited period pending written confirmation.