HIPAA Omnibus Final Rule Breach Notification: Risk Assessment Standard Explained

The HIPAA Omnibus Final Rule reshaped breach notification by replacing the old “harm” test with a uniform risk assessment standard. If an impermissible use or disclosure of Protected Health Information (PHI) involves Unsecured PHI, you must presume a breach unless you can demonstrate a low probability that the PHI was compromised. This overview explains the standard and what Covered Entity Compliance and Business Associate Obligations require in practice.

Breach Definition Under HIPAA

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. Under the Final Rule, any impermissible use or disclosure of Unsecured PHI is presumed to be a breach unless a documented risk assessment shows a low probability that the PHI was compromised. Limited exceptions apply and are addressed below.

Key terms you will apply

• Protected Health Information (PHI): Individually identifiable health information maintained or transmitted by a covered entity or business associate.
• Unsecured PHI: PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through approved encryption or destruction.
• Discovery: The first day the breach is known—or would have been known with reasonable diligence—to the entity or any of its workforce members.

Risk Assessment Criteria for Breach Notification

The Final Rule requires a fact-specific evaluation of the probability that PHI has been compromised. You must complete and retain Risk Assessment Documentation for each incident and base your decision on, at minimum, the following four factors.

The four required factors

• Nature and extent of PHI involved: What identifiers were included, how sensitive is the content (for example, diagnoses, Social Security numbers), and what is the likelihood of re-identification?
• Unauthorized person: Who used the PHI or received the disclosure? Was the recipient another covered entity or a business associate with legal obligations to protect PHI?
• Whether the PHI was actually acquired or viewed: Can you determine if data was merely exposed or actually accessed, exfiltrated, or viewed?
• Mitigation: To what extent have you reduced risk (for example, obtaining recipient assurances of destruction, confirming return without access, or disabling a misdirected portal link)?

Document your analysis and conclusion. If doubt remains after weighing the factors, treat the incident as a breach and follow HITECH Act Notification steps. Your file should clearly support the decision to notify—or not—based on objective evidence.

Exceptions to Breach Notification Requirements

Three narrow exceptions mean an impermissible use or disclosure is not a breach:

• Unintentional access or use by a workforce member or person acting under the entity’s authority, in good faith and within scope, with no further unauthorized use or disclosure.
• Inadvertent disclosure by a person authorized to access PHI to another authorized person within the same covered entity, business associate, or organized health care arrangement, with no further unauthorized use or disclosure.
• Good-faith belief that the unauthorized recipient could not reasonably have retained the information (for example, a returned, unopened letter or indecipherable view on a screen).

These exceptions are separate from the encryption/destruction safe harbor. If an exception applies, notification is not required, but you should still record the event and your analysis.

Timing and Notification Obligations

Breach Notification Timing

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. “Discovery” is when the incident is known or should have been known with reasonable diligence. Delays for internal investigation or approval do not extend this deadline.

Who to notify and how

• Individuals: Provide written notice by first-class mail (or email if the individual consented). If contact info for 10 or more individuals is insufficient, post a conspicuous website notice or use major print/broadcast media and maintain a toll-free number for at least 90 days.
• Media: If the breach involves 500 or more residents of a state or jurisdiction, notify prominent media outlets serving that area within 60 days.
• HHS: For breaches affecting 500 or more individuals, notify the Secretary of HHS contemporaneously and within 60 days of discovery. For fewer than 500, log incidents and report them to HHS no later than 60 days after the end of the calendar year.
• Business Associate Obligations: A business associate must notify the covered entity without unreasonable delay and no later than 60 days, supplying the identities of affected individuals and all information the covered entity needs to notify and mitigate.

Content of individual notice

• A brief description of what happened, including the date of the breach and discovery.
• The types of PHI involved (for example, name, date of birth, diagnosis, account number).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact methods for questions (toll-free number, email, or postal address).

Law enforcement delay

If a law enforcement official states that notice would impede a criminal investigation or damage national security, delay notification for the requested period (written statement with end date, or an oral statement followed by written confirmation).

Documentation and Recordkeeping Standards

Maintain written policies and procedures, workforce training records, sanction documentation, and a comprehensive breach log. For every incident, retain Risk Assessment Documentation showing how you applied the four factors and your final decision.

HIPAA’s burden of proof requires you to demonstrate that required notifications were made or that no breach occurred because there was a low probability of compromise. Keep all related records—risk assessments, notices, media postings, HHS submissions, and Business Associate communications—for at least six years from the date of creation or last effective date.

Safe Harbor Provisions in the Final Rule

If PHI is properly encrypted or destroyed in accordance with HHS guidance (generally aligned with recognized NIST standards), it is not “Unsecured PHI,” and breach notification is not required. Effective controls include strong encryption for data at rest and in transit and secure destruction methods for paper and media.

Practical applications

• Encrypt laptops, mobile devices, backups, and databases; protect and separate encryption keys.
• Use secure transmission protocols for portals, email, and interfaces.
• Shred, pulverize, or otherwise irreversibly destroy paper and media before disposal or reuse.
• Validate and document controls; password protection alone is not a safe harbor.

Changes to Limited Data Set Exception

The Omnibus Final Rule eliminated the interim rule’s special exception for limited data sets. A limited data set remains PHI, so any impermissible use or disclosure must undergo the same breach risk assessment. Only data de-identified under HIPAA’s de-identification standard falls outside breach notification.

Data Use Agreements support compliance but do not, by themselves, remove breach obligations. If a limited data set is disclosed improperly, you must assess probability of compromise and follow notification rules if the threshold is met.

Conclusion

The Final Rule creates a clear, evidence-driven approach: presume breach for impermissible uses of Unsecured PHI, analyze the four risk factors, and document your rationale. Apply safe harbor controls proactively, meet strict Breach Notification Timing, and maintain records to satisfy Covered Entity Compliance and Business Associate Obligations.

FAQs.

What constitutes a breach under the HIPAA Omnibus Final Rule?

A breach is an impermissible acquisition, access, use, or disclosure of Unsecured PHI that is presumed to compromise privacy or security. You may overcome that presumption only by performing and documenting a risk assessment showing a low probability that the PHI was compromised, or by meeting a narrow exception.

How is the risk assessment for breach notification conducted?

You evaluate the probability of compromise using four factors: the nature and extent of PHI involved, the unauthorized person, whether the PHI was actually acquired or viewed, and the extent of mitigation. Document the facts, your analysis, and your conclusion; if uncertainty remains, treat the incident as a breach and notify.

What are the exceptions to the breach notification requirement?

Three exceptions apply: good-faith, unintentional access or use within scope of authority; inadvertent disclosure between authorized persons within the same entity or organized arrangement; and situations where the unauthorized recipient could not reasonably have retained the information. Separately, properly encrypted or destroyed PHI falls outside breach notification because it is not Unsecured PHI.

When must breach notifications be sent to affected individuals?

Send notice without unreasonable delay and no later than 60 calendar days from discovery. Discovery occurs when you know, or should know with reasonable diligence, that a breach occurred. Use first-class mail or consented email, apply substitute notice if contact details are insufficient, and coordinate media and HHS notifications when thresholds are met.