HIPAA Omnibus Breach Notification Rule Explained: What Covered Entities Must Do

Definition of Breach

The Breach Notification Rule requires covered entities and their business associates to assess any acquisition, access, use, or disclosure of protected health information (PHI) not permitted by the Privacy Rule. A breach is presumed unless you can demonstrate a low probability that PHI has been compromised based on a documented risk assessment.

The rule applies to unsecured PHI—information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals. If PHI is properly secured, the event may not constitute a breach for notification purposes. Three narrow exceptions apply, such as good‑faith, within‑scope access by a workforce member without further use or disclosure.

Key distinctions

• Breach focuses on unsecured PHI; security incidents involving secured PHI may fall outside notification duties.
• Presumption of breach shifts the burden to you to perform and document a risk assessment.
• Both covered entities and business associates can “discover” a breach, starting the notification timeline.

Risk Assessment Requirements

To overcome the presumption of breach, you must evaluate and document Risk Assessment Factors and determine whether there is a low probability that PHI has been compromised. The assessment must be thorough, fact‑specific, and retained as part of your compliance records.

The four required factors

• Nature and extent of PHI involved, including types of identifiers and the likelihood of re‑identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which risk has been mitigated (for example, prompt retrieval or validated deletion).

Practical tips

• Use a consistent scoring method and keep contemporaneous notes, attachments, and decision rationale.
• Elevate complex cases (e.g., mixed systems, uncertain recipients) to your privacy and security leadership.
• If you cannot clearly establish low probability of compromise, treat the incident as a breach.

Notification Requirements

Notification Timing is “without unreasonable delay and in no case later than 60 calendar days” from discovery. Discovery occurs when the breach is known—or by reasonable diligence would have been known—by the covered entity or business associate.

Who must be notified

• Affected individuals: direct notice by first‑class mail or agreed‑upon electronic means.
• U.S. Department of Health and Human Services (for the Breach Notification Rule): within 60 days for incidents affecting 500 or more individuals; for fewer than 500, log and report to HHS no later than 60 days after the end of the calendar year.
• Media: if 500 or more residents of a state or jurisdiction are affected, provide prominent media notice in that area.

Content of the individual notice

• A brief description of what happened, including dates of breach and discovery.
• Types of Unsecured PHI involved (e.g., names, diagnoses, account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• How to contact you (toll‑free number, email, or postal address).

Method and substitute notice

• If contact information is insufficient for fewer than 10 individuals, use an alternative method such as telephone.
• If it is insufficient for 10 or more, provide a conspicuous website posting or major media notice and maintain a toll‑free number for at least 90 days.

Law‑enforcement delay

If a law‑enforcement official determines that notice would impede a criminal investigation or threaten national security, you must delay notification for the period specified by the official.

Business Associate Obligations

Business Associates are directly liable under the Omnibus Rule. When a BA discovers a breach of Unsecured PHI, it must notify the covered entity without unreasonable delay and no later than 60 days after discovery, providing identities of affected individuals and all available details needed for the CE’s notices.

Flow‑down and coordination

• Subcontractors of Business Associates are themselves Business Associates and must report upstream promptly.
• BA agreements should specify notification timing, content, cooperation duties, and records retention.
• Covered Entities remain responsible for ensuring timely, accurate notifications—even if a BA sends notices on their behalf.

Encryption Safe Harbor

Incidents involving PHI that has been properly encrypted or destroyed generally are not breaches of Unsecured PHI. Encryption must align with recognized standards that render data unusable, unreadable, or indecipherable to unauthorized individuals.

What qualifies as “secured”

• Data at rest encrypted using strong, industry‑recognized algorithms and key management.
• Data in transit encrypted end‑to‑end.
• Media or paper destroyed so PHI cannot be reconstructed (e.g., shredding, secure wipe per accepted methods).

Password protection alone or simple encoding typically does not meet the safe harbor. When in doubt, treat the data as Unsecured PHI for Breach Notification Rule purposes.

Documentation and Compliance

Maintain written policies and procedures covering incident response, risk assessment, and breach notification. Train your workforce on how to recognize, escalate, and document potential incidents involving Protected Health Information (PHI).

Records to keep

• Risk assessments for each incident, including Risk Assessment Factors analysis and final determination.
• Copies of all notifications, media statements, and HHS submissions.
• Breach log for incidents affecting fewer than 500 individuals, kept current for annual reporting.
• Business associate agreements and evidence of BA communications and cooperation.

Retain required documentation for at least six years. Periodically test your breach response plan, validate contact processes, and review encryption, access controls, and audit logs to reduce the likelihood and impact of future events.

Enforcement and Penalties

The HHS Office for Civil Rights enforces the Breach Notification Rule through investigations, audits, resolution agreements with corrective action plans, and civil money penalties. Penalties are tiered by culpability—from violations a covered entity did not know about, to willful neglect not corrected—and are assessed per violation with annual caps that are adjusted for inflation.

Aggravating and mitigating factors include the number of individuals affected, duration of the violation, sensitivity of PHI, harm caused, and your history of compliance. State attorneys general may also bring civil actions, and egregious misconduct can be referred for criminal enforcement under separate statutes.

Conclusion

To comply with the HIPAA Omnibus Breach Notification Rule, build strong encryption and access controls, prepare a documented risk assessment method, set clear notification workflows with your Business Associates, and keep thorough records. Doing so helps you meet legal obligations, protect individuals, and reduce enforcement risk.

FAQs

What constitutes a breach under the HIPAA Omnibus Rule?

A breach is any acquisition, access, use, or disclosure of PHI not permitted by the Privacy Rule that compromises the security or privacy of the information. The rule presumes a breach unless you document, via risk assessment, a low probability that PHI has been compromised. Three narrow exceptions apply for good‑faith, within‑scope access, certain intra‑entity disclosures, and situations where the recipient could not reasonably retain the information.

How soon must covered entities notify affected individuals?

You must notify without unreasonable delay and no later than 60 calendar days from discovery of the breach. The 60‑day clock starts when the incident is known—or should have been known with reasonable diligence—by your organization or its agents. Business Associates must notify the covered entity promptly so the covered entity can meet this deadline.

What are the exceptions to breach notification?

No individual notice is required when: (1) a workforce member or person acting under authority unintentionally accesses or uses PHI in good faith within scope and makes no further use or disclosure; (2) an authorized person inadvertently discloses PHI to another authorized person within the same entity or business associate; or (3) you have a good‑faith belief the unauthorized recipient could not reasonably retain the information. Additionally, incidents involving properly encrypted or destroyed PHI fall outside the rule’s definition of Unsecured PHI.

What are the penalties for non-compliance?

OCR can require corrective action plans and impose civil money penalties that escalate by culpability tier and are assessed per violation, with annual caps indexed to inflation. Factors such as scope, duration, sensitivity of PHI, harm, and prior history influence penalty amounts. State attorneys general may also pursue remedies, and severe misconduct can trigger criminal exposure under separate laws.