HIPAA Downstream Breach Notification: Who Must Notify Whom and When

Covered Entity Notification to Individuals

Under the HIPAA breach notification rule, you—as a covered entity—must notify affected individuals when there is a breach of unsecured protected health information (PHI), including breaches that originate downstream at a business associate or its subcontractor. The covered entity obligation to communicate to individuals remains, unless your business associate agreement (BAA) expressly delegates individual notice to the business associate.

Provide written notice without unreasonable delay and no later than 60 calendar days after discovery. Send the notice by first-class mail to the last known address, or by email if the individual has agreed to electronic notice. If there is an urgent need to mitigate imminent misuse, you may also use telephone or other rapid means in addition to the written notice.

Scope in a downstream event

When a breach occurs at a vendor or subcontractor, treat it as your breach once reported to you by the business associate. Your duties to notify individuals, HHS, and, if applicable, the media, trigger based on your discovery date, not the vendor’s original incident date.

Covered Entity Notification to HHS

You must notify the U.S. Department of Health and Human Services (HHS) according to the HHS breach reporting timeline, which depends on the breach size:

• 500 or more affected individuals in a single state or jurisdiction: Notify HHS without unreasonable delay and in no case later than 60 calendar days from discovery, generally contemporaneous with individual notices.
• Fewer than 500 affected individuals: Maintain a breach log and submit it to HHS no later than 60 calendar days after the end of the calendar year in which the breaches were discovered.

HHS requires detailed incident information in the report, so coordinate early with your business associate to gather accurate counts, incident dates, and a narrative of what happened.

Covered Entity Notification to Media

Media notification mandates apply when a breach affects 500 or more residents of a single state or jurisdiction. In that case, notify prominent media outlets serving the affected area without unreasonable delay and no later than 60 calendar days from discovery. The media notice should mirror the individual breach notification content at a high level and must not include PHI.

Media notice supplements, but does not replace, direct notice to individuals. Prepare consistent messaging across individual, HHS, and media notifications to prevent confusion.

Business Associate Notification to Covered Entity

Business associate breach reporting is mandatory. A business associate (BA) that discovers a breach of unsecured PHI—whether at the BA itself or at a downstream subcontractor—must notify the covered entity without unreasonable delay and no later than 60 calendar days from discovery.

What the BA must provide

• Identification of each affected individual, if known.
• A brief description of what happened, including dates of the breach and its discovery.
• The types of PHI involved (for example, names, Social Security numbers, diagnoses, treatment details).
• Any other available information the covered entity needs to complete individual, HHS, and media notices, provided promptly as it becomes available.

Your BAA should require subcontractors to agree to the same breach reporting duties and should set tighter internal notice clocks (for example, 5–10 days) to give you time to meet HIPAA deadlines.

Substitute Notice for Insufficient Contact Information

Substitute notice requirements apply when you lack sufficient or current contact information for some affected individuals.

• Fewer than 10 individuals: Use an alternative form of notice that is reasonably calculated to reach the person, such as telephone or other appropriate means.
• 10 or more individuals: Provide a conspicuous notice for at least 90 days either on your website home page or via major print or broadcast media in the geographic area where affected individuals likely reside. Include a toll-free number active for at least 90 days so people can determine whether they were impacted.

Do not include PHI in any substitute notice. Continue to send direct notices if valid contact information later becomes available.

Content of Individual Notification

To satisfy individual breach notification content requirements, your notice must be clear, concise, and include:

• A brief description of what happened, including the breach date and the date of discovery, if known.
• A description of the types of unsecured PHI involved (for example, full name, address, account numbers, clinical details), without revealing the PHI itself.
• Steps individuals should take to protect themselves, such as monitoring accounts, placing fraud alerts, or changing passwords.
• What you are doing to investigate, mitigate harm, and prevent future incidents (for example, vendor remediation, enhanced access controls, workforce training).
• Contact methods for questions or assistance, including a toll-free number, email address, website, or postal address.

Use plain language, avoid technical jargon, and keep the tone supportive. This helps individuals act promptly while reinforcing trust.

Timing Requirements for Notifications

HIPAA uses a “without unreasonable delay” standard with an outer limit of 60 calendar days from discovery for key notices. Discovery occurs on the first day the breach is known to you—or would have been known by exercising reasonable diligence—including knowledge by any workforce member or agent. Apply the same principle to business associates for their notice to you.

• To individuals: Without unreasonable delay and no later than 60 calendar days from discovery.
• To HHS: For 500+ individuals, within 60 calendar days of discovery; for fewer than 500, within 60 days after the end of the calendar year.
• To media: For 500+ residents in a state or jurisdiction, within 60 calendar days of discovery.
• BA to covered entity: Without unreasonable delay and no later than 60 calendar days from the BA’s discovery; BAAs often require shorter internal deadlines.

Conclusion

In a downstream HIPAA breach, the covered entity remains accountable for notifying individuals, HHS, and, when required, the media—while the business associate must promptly report upstream and supply details. Align BAAs to accelerate internal reporting, verify substitute notice options in advance, and prepare templates that satisfy HIPAA breach notification rule content and timing so you can act decisively when incidents arise.

FAQs

Who must notify individuals about a downstream HIPAA breach?

The covered entity is responsible for notifying individuals when unsecured PHI is breached, even if the incident occurred at a business associate or subcontractor. A BAA may delegate delivery of notices to the business associate, but the covered entity remains ultimately accountable.

When must a covered entity notify HHS of a breach?

For breaches affecting 500 or more individuals in a state or jurisdiction, notify HHS without unreasonable delay and no later than 60 calendar days from discovery. For fewer than 500, record the breach and report it to HHS within 60 days after the end of the calendar year in which the breach was discovered.

What are the requirements for business associates to notify covered entities?

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovering a breach. They must identify affected individuals if known and provide the details the covered entity needs to complete individual, HHS, and media notices, supplying additional information as it becomes available.

When is substitute notice required for breach notifications?

Use substitute notice when contact information is insufficient or outdated. If fewer than 10 individuals are affected, use an alternative method reasonably likely to reach them. If 10 or more are affected, post a conspicuous website notice or use major print or broadcast media for at least 90 days and include a toll-free number active for the same period.