HIPAA Breach Notification Rule vs Enforcement Rule: Differences, Requirements, and Penalties

Breach Notification Rule Overview

What triggers the rule

The Breach Notification Rule applies when there is an impermissible acquisition, access, use, or disclosure of protected health information that compromises privacy or security. A breach is presumed unless you can demonstrate, through a documented risk assessment, a low probability that PHI has been compromised.

Unsecured protected health information

The rule focuses on breaches of unsecured protected health information—PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals. Proper encryption or destruction can qualify as a safe harbor, meaning incidents involving properly secured data typically do not trigger notification duties.

Risk assessment factors

• Nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification.
• Identity of the unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed, or only the opportunity existed.
• The extent to which risks have been mitigated, such as obtaining assurances or retrieving the data.

Who must notify

Covered entities must notify affected individuals after discovering a breach involving unsecured PHI. Business associates must notify the covered entity of breaches they discover so the covered entity can meet its obligations.

Enforcement Rule Procedures

How cases begin

Under the Enforcement Rule, the Office for Civil Rights (OCR) at HHS initiates investigations based on complaints, breach reports, compliance reviews, or referrals. OCR assesses whether HIPAA requirements were met and whether corrective steps are needed.

Investigations and compliance reviews

OCR may request policies, procedures, training records, risk analyses, and incident documentation. It can open compliance reviews even in the absence of a complaint, especially following large breaches or signals of systemic noncompliance.

Findings and resolution pathways

• Informal resolution with technical assistance or voluntary compliance where appropriate.
• Resolution agreements that include detailed corrective action plans and monitoring.
• Imposition of civil monetary penalties when violations warrant stronger enforcement.
• Formal processes, including notices of proposed determination, opportunities for a hearing before an administrative law judge, and appeals.

Notification Requirements Compliance

Who to notify and when

• Individuals: Provide written notice without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: For breaches affecting 500 or more individuals, notify the Secretary without unreasonable delay and within 60 days of discovery. For fewer than 500, maintain a log and report to HHS within 60 days after the end of the calendar year in which the breaches were discovered.
• Media notification requirements: If a breach affects 500 or more residents of a state or jurisdiction, notify prominent media outlets serving that area within 60 days of discovery.
• Business associates: Must notify the covered entity without unreasonable delay and no later than 60 days, including identifying each affected individual and supplying available details.

Content of the notifications

• Brief description of what happened, including dates of the breach and discovery.
• Types of information involved (for example, names, Social Security numbers, medical diagnoses).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact methods, including a toll-free number, email, or postal address.

Methods, substitutes, and delays

• Use first-class mail or email if the individual has agreed to electronic notice.
• If contact information is insufficient for fewer than 10 individuals, use an alternative such as telephone or other reasonable substitute notice. For 10 or more, provide a conspicuous website posting for at least 90 days or notice via major print or broadcast media in the affected area.
• Delay notices if a law enforcement official states that notification would impede a criminal investigation or threaten national security; resume once the delay period ends.

Operationalizing compliance

• Maintain an incident response plan with clear breach triage, documentation, and decision criteria.
• Run tabletop exercises so teams can meet the 60-day clock, including coordination with business associates.
• Preserve evidence and maintain a breach log to support potential compliance reviews.

Penalty Structure and Severity

Four-tier framework for civil monetary penalties

• No knowledge: You did not know and, with reasonable diligence, would not have known of the violation.
• Reasonable cause: A violation occurred despite reasonable efforts to comply.
• Willful neglect—corrected: The violation resulted from willful neglect but was corrected within the required time.
• Willful neglect—not corrected: The most severe category, leading to the highest civil monetary penalties.

Penalty amounts are assessed per violation and may be subject to annual caps. HHS adjusts penalty amounts for inflation periodically, and each day a violation persists can constitute a separate violation.

Factors that influence amounts

• Nature and extent of the violation, including number of individuals and sensitivity of the PHI.
• Duration of noncompliance and whether policies, training, and safeguards were in place.
• History of prior violations, level of cooperation, and post-incident mitigation.
• Financial condition and the potential impact of penalties on the entity’s ability to provide care.

Settlement alternatives

Instead of or in addition to penalties, OCR may negotiate resolution agreements that impose corrective action plans with multi-year monitoring. These agreements often require leadership accountability, independent assessments, and regular reporting.

Scope and Application of Rules

Both rules apply to covered entities—health plans, most health care providers that conduct standard transactions, and health care clearinghouses—and to their business associates and applicable subcontractors. They cover PHI in any form, whether electronic, paper, or oral.

The Breach Notification Rule applies to breaches of unsecured protected health information. The Enforcement Rule governs how HHS investigates, conducts compliance reviews, and applies civil monetary penalties or other remedies for HIPAA violations across Privacy, Security, and Breach Notification requirements.

De-identified information and properly secured data generally fall outside breach notification. State privacy laws may impose additional duties; you should incorporate them into your incident response playbooks.

Role of the Department of Health and Human Services

HHS, through the Office for Civil Rights, issues guidance, investigates complaints and breach reports, and conducts compliance reviews. OCR can require corrective action plans, negotiate resolution agreements, and impose civil monetary penalties when necessary.

HHS also maintains a public breach reporting portal for incidents affecting 500 or more individuals, analyzes trends, and provides technical assistance to help you strengthen safeguards and sustain compliance.

Corrective Actions and Criminal Penalties

What corrective action plans include

• Comprehensive risk analysis and risk management addressing security gaps.
• Policy and procedure updates, workforce training, and role-based access controls.
• Vendor governance, including business associate diligence and contract enforcement.
• Incident response improvements, testing, and periodic reporting to OCR.

Criminal penalties for PHI misuse

When conduct involves intentional wrongful disclosures or access, cases may be referred to the Department of Justice. Criminal penalties for PHI misuse can include substantial fines and, for aggravated offenses committed for personal gain, malicious harm, or commercial advantage, imprisonment of up to 10 years.

Conclusion

The Breach Notification Rule tells you when and how to notify after incidents involving unsecured protected health information; the Enforcement Rule defines how HHS investigates and penalizes noncompliance. Building strong safeguards, documenting decisions, and acting quickly after an incident minimize risk, reduce exposure to civil monetary penalties, and protect patients’ trust.

FAQs

What are the notification timelines under the Breach Notification Rule?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. If 500 or more individuals are affected, notify HHS within 60 days of discovery; for fewer than 500, report to HHS within 60 days after the end of the calendar year. Business associates must notify the covered entity without unreasonable delay and no later than 60 days. Notices may be delayed if law enforcement determines that immediate notification would impede an investigation.

How does the Enforcement Rule determine penalty amounts?

OCR applies a four-tier framework tied to culpability—from no knowledge to willful neglect not corrected—and sets civil monetary penalties per violation, subject to annual caps. Amounts are adjusted for inflation and reflect factors such as the nature and extent of the violation, number of individuals affected, duration, mitigation efforts, cooperation, and the entity’s compliance history and financial condition.

When is media notification required for a breach?

Media notification is required when a breach involves unsecured protected health information of 500 or more residents of a state or jurisdiction. In that case, you must provide notice to prominent media outlets serving the affected area without unreasonable delay and within 60 days of discovery, in addition to notifying affected individuals and HHS.

What actions can HHS take for HIPAA violations?

HHS, through OCR, can provide technical assistance, seek voluntary compliance, conduct compliance reviews, negotiate resolution agreements with corrective action plans and monitoring, impose civil monetary penalties, and refer matters for criminal prosecution when warranted.