HIPAA Breach Notification to Individuals: Requirements, Timeline, and Steps to Comply

Definition of Breach

Under HIPAA, a breach is the acquisition, access, use, or disclosure of Protected Health Information (PHI) not permitted by the Privacy Rule that compromises the security or privacy of the PHI. A breach is presumed unless you demonstrate through a documented risk assessment that there is a low probability the PHI has been compromised. The Breach Notification Rule applies to Unsecured PHI—information not rendered unusable, unreadable, or indecipherable to unauthorized persons through approved encryption or destruction.

Some incidents are not considered breaches. These include certain unintentional good‑faith uses by workforce members within scope of authority, inadvertent disclosures between authorized persons within a covered entity or organized health care arrangement, and disclosures where the recipient could not reasonably retain the information. “Discovery” of a breach occurs on the first day it is known—or should reasonably have been known—to the covered entity or business associate, and the Breach Notification Timeline runs from that date.

Conducting Risk Assessment

A risk assessment determines whether the presumption of breach can be overcome. Your analysis must be specific to the incident, fact‑based, and thoroughly documented. If you conclude there is a low probability of compromise, you are not required to notify—but you must retain the assessment and rationale.

Required Risk Assessment Factors

• Nature and extent of PHI involved: the types of identifiers, the level of sensitivity, and the likelihood of re‑identification.
• Unauthorized person: who used the PHI or to whom it was disclosed, including their role, obligations, and access capabilities.
• Whether PHI was actually acquired or viewed: indicators of access, exfiltration, or mere exposure without access.
• Mitigation: the extent to which risk was reduced (e.g., immediate recovery, satisfactory attestations of destruction, or robust containment measures).

Documenting Your Analysis

Record the incident timeline, systems and records involved, Risk Assessment Factors considered, and your final determination. Note whether data was Unsecured PHI, what technical safeguards were present, and why mitigation steps were credible. This contemporaneous record is essential for compliance and future audits.

Individual Notification Requirements

Covered entities must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Business associates must notify the covered entity without unreasonable delay and no later than 60 days, supplying the identities of affected individuals and all available information needed for individual notices. If law enforcement states that notification would impede an investigation or threaten national security, you must delay notice for the specified period (or 30 days if the request was initially oral and followed promptly in writing).

Content of the Individual Notice

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• The types of PHI involved (for example, names, addresses, diagnoses, medications, or account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• How to contact you: toll‑free number, email, postal address, or website. Use clear, plain language.

Method and Form

Provide written notice by first‑class mail to the individual’s last known address, or by email if the individual has agreed to electronic notice. For deceased individuals, send notice to the next of kin or personal representative when known. Use accessible formats upon request and track returned mail or bounced emails to determine if Substitute Notice is required.

Breach Notification Timeline

The Breach Notification Timeline begins on the date of discovery and does not pause for investigation. You should aim to notify as soon as practicable once you verify affected individuals and finalize accurate content; waiting the full 60 days without cause is discouraged. Build internal deadlines (for example, day 10 for preliminary findings, day 30 for final lists and letters) to ensure timely compliance.

Substitute Notice Procedures

Substitute Notice applies when standard contact information is insufficient or outdated. Your approach depends on how many individuals you cannot reach. Keep detailed logs of returned mail, undeliverable emails, and phone outreach attempts to demonstrate diligence.

When Fewer Than 10 Individuals Cannot Be Reached

Use an alternative form of notice reasonably calculated to reach the individual, such as telephone, email (if not previously consented for primary notice), or other written means. Document the method used and the reason the standard notice failed.

When 10 or More Individuals Cannot Be Reached

• Provide a conspicuous website posting for at least 90 days or give notice in major print or broadcast media where affected individuals likely reside.
• Include a toll‑free number active for at least 90 days so individuals can determine if they were affected.
• Ensure the content mirrors the individual notice and is easy to find and read.

Media Notification Obligations

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. Media Notification Requirements mirror the individual notice content but are directed to the public through press or broadcast channels to expand reach.

Coordinate timing so individual notices and media outreach occur together. Prepare clear messaging that protects patient privacy while giving actionable guidance. Keep records of when and where media notifications were issued.

Notification to the Secretary of HHS

For breaches affecting 500 or more individuals, notify the Secretary of HHS without unreasonable delay and in no case later than 60 days from discovery. For breaches affecting fewer than 500 individuals, maintain a breach log and submit the accumulated incidents to HHS no later than 60 days after the end of the calendar year in which they were discovered.

Reports typically include a description of the incident, the number of individuals affected, the location and type of breach (e.g., email, paper, network server), and mitigation steps. Covered entities are ultimately responsible for reporting, though a business associate may handle submission if your agreement assigns that task.

Documentation and Compliance Strategies

Immediate Response Steps (Day 0–3)

• Contain the incident: isolate affected systems, revoke unauthorized access, and preserve evidence.
• Assemble your incident response team, including privacy, security, legal, and affected business units.
• Begin your preliminary assessment to confirm whether Unsecured PHI was involved.

Investigation and Assessment (Day 0–10)

• Identify data elements, volumes, and individuals involved; validate data accuracy against system logs.
• Apply the Risk Assessment Factors and quantify residual risk after mitigation.
• Decide whether notification is required; if yes, build the affected‑individual list with verified addresses.

Notification Execution (By Day 60)

• Finalize plain‑language letters and FAQs; stand up a toll‑free help line.
• Mail or email individual notices; initiate Substitute Notice if needed; prepare media notice for 500+ residents in a state or jurisdiction.
• File required reports to the Secretary of HHS on the appropriate timetable.

Ongoing Remediation

• Offer protective services when appropriate (e.g., credit monitoring for financial data exposures).
• Correct root causes: patch systems, strengthen access controls, and enhance monitoring.
• Update workforce training and test incident response through tabletop exercises.

Documentation Retention

Retain your breach log, risk assessments, determinations, copies of all notices, media materials, HHS submissions, proof of delivery, business associate communications, mitigation records, and policy updates for at least six years from creation or last effective date. Strong Documentation Retention supports audits, demonstrates compliance, and shortens future investigations.

Conclusion

Effective HIPAA Breach Notification to Individuals hinges on a disciplined risk assessment, a clear Breach Notification Timeline, and precise execution of individual, substitute, media, and HHS reporting duties. Build repeatable procedures, verify contact data early, and document every decision so you can protect individuals and prove compliance.

FAQs.

What is considered a breach under HIPAA?

A breach is any impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy. It is presumed to be a breach unless a documented risk assessment shows a low probability of compromise, or the incident fits a narrow exception (such as certain good‑faith, within‑scope uses) or the PHI was secured through approved encryption or destruction.

How soon must individuals be notified after a breach?

You must notify individuals without unreasonable delay and no later than 60 calendar days after discovery. The clock starts when the incident is known—or should reasonably have been known—to your organization. If law enforcement requests a delay because notice would impede an investigation, you must postpone notification for the specified period.

When is substitute notice required?

Provide Substitute Notice when standard contact information is insufficient or outdated. If fewer than 10 individuals are affected, use an alternative method reasonably calculated to reach them. If 10 or more are affected, post a conspicuous website notice or use major print or broadcast media for at least 90 days and include a toll‑free number for inquiries.

What documentation must be retained after a breach?

Keep the incident log, your risk assessment and determination, copies of all individual and media notices, HHS submissions, delivery proofs, business associate notifications, mitigation actions, and policy or training updates. Maintain these records for at least six years to meet HIPAA’s documentation requirements and to support audits.