HIPAA Omnibus Rule Breach Notification: Examples, Exceptions, and Business Associate Duties

The HIPAA Omnibus Rule strengthened the Breach Notification Rule by presuming a breach whenever unsecured Protected Health Information (PHI) is involved in an impermissible disclosure or other unauthorized incident. This guide explains how you determine whether a breach occurred, when and how to notify, what Business Associates must do, and how to document compliance.

Breach Definition and Risk Assessment

What counts as a breach

A breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by HIPAA. Any impermissible disclosure triggers a presumption of breach unless you can show a low probability that the PHI has been compromised based on a documented risk assessment.

Unsecured vs. secured PHI

PHI is unsecured if it has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals (for example, through strong encryption or proper destruction). If PHI is secured and the encryption keys remain protected, notification is generally not required.

Required risk assessment factors

• The nature and extent of PHI involved, including types of identifiers and sensitivity (diagnoses, SSNs, financial data), and the likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made (e.g., a Covered Entity, a Business Associate, or an unknown third party).
• Whether the PHI was actually acquired or viewed (for example, logs show no access vs. confirmed access).
• The extent to which the risk has been mitigated (prompt retrieval, recipient attestations, secure deletion, containment).

Practical examples

• Misdirected email with lab results to the wrong patient: typically a breach unless your Risk Assessment Factors support low probability of compromise.
• Lost unencrypted laptop containing patient schedules: presumptive breach requiring notification.
• Lost laptop encrypted to current standards with intact key management: not a breach because the PHI is secured.
• Workforce snooping into a neighbor’s chart without a job-related need: breach requiring notification and sanctions.
• Ransomware encrypting PHI on a server: presumed breach unless you can demonstrate low probability of compromise after investigation and mitigation.

Exceptions to Breach Definition

Unintentional access within scope of authority

An unintentional acquisition, access, or use of PHI by a workforce member or person acting under a Covered Entity’s or Business Associate’s authority, made in good faith and within the scope of authority, is not a breach if the information is not further used or disclosed impermissibly.

Inadvertent internal disclosure

An inadvertent disclosure of PHI by an authorized person to another authorized person at the same Covered Entity, Business Associate, or organized health care arrangement is not a breach if the recipient does not further use or disclose the information impermissibly.

Recipient could not retain the information

If you have a good-faith belief that the unauthorized recipient could not reasonably have retained the information (for example, a sealed envelope returned unopened, or a view that was momentary and unreadable), the incident is not a breach.

Notification Requirements and Timing

When the clock starts

Discovery occurs on the first day the breach is known or would have been known through reasonable diligence. From discovery, you must provide notifications without unreasonable delay and no later than 60 calendar days.

Individual notice

• Method: first-class mail to the last known address or email if the individual has agreed to electronic notice; use a translated version when appropriate.
• Substitute notice: if contact information is insufficient or outdated for fewer than 10 people, use an alternative method (e.g., telephone). If 10 or more are affected, provide conspicuous substitute notice (such as a 90-day website posting or major print/broadcast media) with a toll-free number active for at least 90 days.
• Urgent situations: if possible imminent misuse could occur, you may supplement with telephone or other expedient means.

Law enforcement delay

If a law enforcement official states that notice would impede a criminal investigation or cause damage to national security, you must delay notification for the specified time (or for 30 days if the request is oral and not yet documented).

Business Associate Notification Duties

Timely reporting to the Covered Entity

Business Associates must notify the Covered Entity without unreasonable delay and no later than 60 calendar days after discovering a breach. Discovery follows the same reasonable-diligence standard.

Information to include

• Identification of each affected individual, to the extent possible.
• Available details the Covered Entity must include in individual notices, with prompt updates as more information is learned.
• Description of containment, mitigation, and corrective actions taken by the Business Associate and any subcontractors.

Subcontractor responsibility

Subcontractors of Business Associates must notify the upstream Business Associate of breaches. Business Associate Agreements should outline roles, but regulatory duties apply regardless of contract language.

Breach Notification Content

What your notices must include

• A brief description of what happened, including the breach date and discovery date, if known.
• The types of PHI involved (for example, names, dates of birth, diagnoses, treatment information, account numbers).
• Steps individuals should take to protect themselves (credit monitoring, password changes, fraud alerts, or other practical measures).
• What you are doing to investigate, mitigate harm, and prevent future incidents (containment, sanctions, technical safeguards).
• How to get more information, including a toll-free number, email, or postal address, and the identity of the Covered Entity or Business Associate issuing the notice.

Breach Notification to Media and Secretary

Media notice for large breaches

If a breach affects 500 or more residents of a state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days from discovery, in addition to individual notices.

Notice to the Health and Human Services Secretary

• 500 or more individuals: report to the Health and Human Services Secretary without unreasonable delay and within 60 days of discovery.
• Fewer than 500 individuals: log the breach and submit to the Secretary no later than 60 days after the end of the calendar year in which the breach was discovered.

Documentation and Compliance

Maintain thorough records

Document your risk assessments, breach determinations, notifications, mitigation steps, and decisions. Retain policies, procedures, training records, and breach logs for at least six years from creation or last effective date.

Policies, training, and sanctions

Adopt clear policies on minimum necessary use, access monitoring, incident response, and sanctions. Train workforce members regularly and apply sanctions consistently for impermissible disclosure or other violations.

Technical and administrative safeguards

Harden systems with encryption, access controls, audit logging, patching, and backups. Conduct periodic risk analyses, test your incident response plan, and verify Business Associate compliance through agreements and due diligence.

Conclusion

The Breach Notification Rule centers on rapid assessment, timely notice, and verifiable mitigation. By applying the Risk Assessment Factors, honoring exceptions correctly, meeting notification deadlines, and documenting every step, Covered Entities and Business Associates can manage incidents effectively and sustain compliance.

FAQs.

What constitutes a breach under the HIPAA Omnibus Rule?

A breach is any acquisition, access, use, or disclosure of unsecured PHI not permitted by HIPAA. Because impermissible disclosure creates a presumption of breach, you must perform and document a risk assessment to show a low probability of compromise or proceed with notification.

When must covered entities notify affected individuals?

You must notify without unreasonable delay and no later than 60 calendar days after discovering the breach. Use first-class mail or agreed email, provide substitute notice when contact information is insufficient, and consider urgent phone notice if imminent harm is likely.

What are the exceptions to breach notification requirements?

Three exceptions apply: unintentional access within scope of authority; inadvertent disclosure between authorized persons at the same entity or arrangement; and situations where the recipient could not reasonably retain the information. In addition, secured (properly encrypted or destroyed) PHI generally falls outside notification.

What are business associate duties in breach notification?

Business Associates must notify the Covered Entity without unreasonable delay and within 60 days of discovery, identify affected individuals to the extent possible, provide available notice content, and relay updates promptly. Subcontractors must report breaches to their upstream Business Associate.