HIPAA Breach Notification to the Media: Requirements, Timelines, and How to Comply

Media Notification Requirement

Under the HIPAA Breach Notification Rule, covered entities must notify prominent media outlets when a breach involves more than 500 residents of a single state or smaller jurisdiction. This media notice is in addition to individual notifications and reporting to HHS; it does not replace them.

Covered Entity Obligations include assessing whether unsecured protected health information (PHI) was compromised and whether the >500-resident threshold is met within any one state or jurisdiction. If 600 residents of State A are affected, you must notify media serving State A, even if the total breach spans multiple states.

“Prominent media outlets” typically include widely read newspapers, major broadcast stations, or digital news platforms that serve the affected area. To support Media Outreach Compliance, you should distribute a press statement or release to these outlets; posting only on your own website is not sufficient.

Business associates do not notify the media directly; they must notify the covered entity so the covered entity can fulfill media notice duties.

Notification Timeline

You must issue the media notification without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Discovery occurs on the date the breach is known—or by exercising reasonable diligence should have been known—by any workforce member or agent.

A lack of complete facts does not justify delay. Provide an initial, accurate notice within the 60-day window and follow with updates as you verify details. If law enforcement determines that notice would impede a criminal investigation, you may delay, but only for the duration and under the conditions they specify.

Coordinate Incident Reporting Timelines across individual notices, HHS reporting, and media outreach to avoid contradictions. Remember that business associate agreements (BAAs) often include shorter internal reporting deadlines so you can meet the 60-day external requirement.

Content of Media Notification

Align your press release with HHS Breach Notification Guidance and 45 CFR 164.404(c). Write in clear, plain language and do not include any PHI about specific individuals. Your notice should include:

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• The types of PHI involved (for example, names, addresses, dates of birth, medical record numbers, diagnoses, treatment information, or health plan data).
• Steps affected individuals should take to protect themselves, such as monitoring accounts or placing fraud alerts.
• What you are doing to investigate, mitigate harm, and prevent future incidents (e.g., containment, enhanced safeguards, workforce training).
• Clear contact methods for questions: a toll-free number, email address, and/or postal address available for an appropriate period.

Ensure consistency across all channels: the facts, scope, and protective steps in your media notice should mirror individual notifications and your HHS submission.

Substitute Notice Procedures

Substitute notice applies to individual notifications when you lack sufficient or current contact information; it is separate from the >500-resident media notification requirement. Use these Substitute Notice Criteria:

• Fewer than 10 individuals with insufficient contact information: provide notice by an alternative means such as telephone, email, or other permissible method.
• 10 or more individuals with insufficient contact information: provide a conspicuous website posting for at least 90 days or notice in major print or broadcast media where individuals likely reside, and include a toll-free number active for at least 90 days.

If the breach affects more than 500 residents of a state or jurisdiction, you must still provide media notification even if you also use substitute notice for unreachable individuals.

Business Associate Breach Notifications

Business Associate Responsibilities include notifying the covered entity without unreasonable delay and no later than 60 calendar days after the BA discovers a breach. BAAs commonly require shorter incident reporting timelines (for example, 5–15 days) to give the covered entity time to meet external deadlines.

The BA’s notice to the covered entity should identify each affected individual (if possible) and include available details about the breach, the PHI involved, and any mitigation already undertaken. Subcontractors must notify the BA, which then notifies the covered entity.

Steps to Comply with HIPAA Media Notification

• Confirm a breach occurred: perform the HIPAA risk assessment (nature/extent of PHI, unauthorized party, whether PHI was actually acquired/viewed, and mitigation). If PHI is properly encrypted, the event may not be reportable.
• Scope by geography: determine the number of affected residents per state or jurisdiction to see where the >500 threshold is met.
• Set timelines and owners: establish an incident response clock, assign leads for investigation, legal, privacy, communications, and vendor management, and track all deadlines.
• Draft the press release: incorporate required content, avoid PHI, use plain language, and prepare Q&A for reporters to maintain consistent messaging.
• Distribute to prominent media: send to major outlets serving each affected state/jurisdiction; document recipients, dates, and copies of notices for audit readiness.
• Align parallel notices: synchronize individual letters/emails, substitute notice (if needed), and HHS submissions to ensure accuracy and consistency.
• Stand up support: provide a staffed call center, publish a consumer-friendly notice on your site, and monitor inbound inquiries and media coverage.
• Document and improve: retain incident records and decisions for at least six years, update policies, strengthen safeguards, and train workforce members.

Enforcement and Penalties for Non-Compliance

Large breaches trigger HHS Office for Civil Rights (OCR) scrutiny. OCR may require corrective action plans, ongoing monitoring, and civil monetary penalties based on the level of culpability (from reasonable cause to willful neglect). State attorneys general may also enforce privacy laws, and contractual partners may impose sanctions.

Failure to meet media notice obligations—missing the 60-day deadline, omitting required content, or neglecting a state/jurisdiction that crosses the 500-resident threshold—can heighten enforcement risk. Thorough documentation, timely action, and alignment with HHS Breach Notification Guidance demonstrate good-faith compliance.

Bottom line: know when media notification is required, communicate promptly and accurately, and operationalize your Media Outreach Compliance playbook so you can meet the Breach Notification Rule with confidence.

FAQs.

What triggers the requirement for media notification under HIPAA?

You must notify prominent media outlets when a breach of unsecured PHI affects more than 500 residents of a single state or jurisdiction. This media notice is in addition to individual notices and HHS reporting.

How soon must media be notified after a breach discovery?

Issue the media notice without unreasonable delay and no later than 60 calendar days after discovering the breach. The clock starts when the incident is known—or should reasonably have been known—by your workforce or agents.

What information must be included in the media breach notification?

Provide a plain-language description of what happened (including breach and discovery dates), the types of PHI involved, steps individuals should take, what you are doing to investigate and mitigate, and clear contact details. Do not include PHI about specific individuals.

When is substitute notice required for a HIPAA breach?

Use substitute notice for individual notifications when you lack sufficient contact information: alternative means if fewer than 10 individuals are unreachable, or a 90-day website posting or major media notice (with a 90-day toll-free number) if 10 or more individuals are unreachable. This is separate from the >500-resident media notification requirement.