HIPAA Omnibus Rule Breach Notification Requirements: Timeline, Risk Assessment, Reporting

Breach Definition

Under the HIPAA Omnibus Rule’s Breach Notification Rule, a breach is the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted by HIPAA that compromises the security or privacy of the PHI. The rule applies to Covered Entities and their Business Associates when the PHI involved is “unsecured.”

Secured vs. unsecured PHI

PHI is considered secured when it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals—typically through strong encryption or proper destruction. If PHI is secured, breach notification is not required. If PHI is unsecured, you must evaluate the incident to determine whether notification obligations are triggered.

Exceptions that are not breaches

• Unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a Covered Entity or Business Associate, in good faith and within scope, with no further impermissible use or disclosure.
• Inadvertent disclosure of PHI by an authorized person to another authorized person within the same Covered Entity, Business Associate, or Organized Health Care Arrangement, with no further impermissible use or disclosure.
• Disclosures where you have a good-faith belief the unauthorized recipient could not reasonably retain the information (for example, a misdirected letter immediately returned unopened).

Discovery date

An incident is “discovered” on the first day it is known to you—or should reasonably have been known—by exercising due diligence. All Notification Deadlines run from this discovery date.

Conducting Risk Assessment

If unsecured PHI is involved, you must perform a risk assessment to determine whether there is a low probability that the PHI has been compromised. If the probability is not low, you have a breach requiring notification.

Risk Assessment Criteria

• Nature and extent of PHI involved: the types of identifiers (e.g., names, SSNs, diagnoses) and the likelihood of re-identification.
• Unauthorized person: who received or used the PHI (for example, a HIPAA-regulated entity versus an unknown third party).
• Whether PHI was actually acquired or viewed: evidence the information was opened, downloaded, or used, versus only potentially exposed.
• Mitigation: the extent to which risk was reduced (e.g., obtaining recipient assurances of destruction, successfully remote-wiping a device, confirming encryption).

Applying and documenting the assessment

Evaluate each factor, weigh them collectively, decide whether the probability of compromise is low, and document your rationale. Your Compliance Documentation should include the facts, analysis, final determination (breach or no breach), and any remedial actions taken.

Notification Timeline

Notifications must be made without unreasonable delay and within set outer limits. Build your incident response to meet these Notification Deadlines from the date of discovery.

• Affected individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• U.S. Department of Health and Human Services (HHS) — 500 or more individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• HHS — fewer than 500 individuals: log the incident and report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.
• Media notice (see below): when required, without unreasonable delay and no later than 60 calendar days after discovery.
• Business Associates to Covered Entities: without unreasonable delay and no later than 60 calendar days after the Business Associate discovers the breach; earlier notice may be required by contract.

Law enforcement delay: if a law enforcement official states that notification would impede a criminal investigation or threaten national security, you must delay notice for the time specified. Document any such hold. Also consider applicable state breach notification laws, which may impose shorter deadlines.

Notifying Affected Individuals

Method of notice

• Written notice by first-class mail to the individual’s last known address; email is permissible if the individual has agreed to electronic notice.
• If the individual is deceased, notify the personal representative when known and appropriate.
• In urgent cases where possible imminent misuse is suspected, you may also provide telephone or other immediate notice in addition to the written notice.

Content requirements

Your letter must be clear, conspicuous, and in plain language. Include:

• A brief description of what happened, including the date of the breach and the date of discovery (if known).
• The types of PHI involved (for example, full name, date of birth, diagnosis, treatment information, account numbers).
• Steps individuals should take to protect themselves (e.g., fraud alerts, credit monitoring, password changes).
• What your organization is doing to investigate, mitigate harm, and prevent further breaches.
• Contact information for questions and assistance, including a toll-free number, email, or postal address.

Substitute notice

• If fewer than 10 individuals are unreachable, use an alternative form of notice (e.g., phone, email) reasonably calculated to reach them.
• If 10 or more are unreachable, provide substitute notice via a prominent website posting for at least 90 days or major print/broadcast media in areas where affected individuals reside, plus a toll-free number active for at least 90 days.

Reporting to Media and HHS

HHS reporting

For breaches affecting 500 or more individuals, report to HHS without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting fewer than 500 individuals, maintain a breach log and submit it to HHS within 60 days after the end of the calendar year in which the breaches were discovered.

Media notification

If a breach involves 500 or more residents of a single state or jurisdiction, notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. Media notice complements, and does not replace, individual notice.

Business Associate Notification

Business Associates must notify the Covered Entity of a breach of unsecured PHI without unreasonable delay and no later than 60 calendar days after discovery. The notice should identify each affected individual (when possible) and provide the information the Covered Entity needs to deliver individual notices under the Breach Notification Rule.

Contracts should specify shorter timeframes, reporting channels, required details, and ongoing cooperation duties. Business Associates are directly liable for compliance and should maintain their own incident response and Compliance Documentation.

Documentation and Compliance

Maintain written policies and procedures for incident response, workforce training, sanctions, and technical safeguards. Keep an incident log, risk assessments, notices sent, media statements, HHS submissions, and correspondence for at least six years from the date created or last in effect.

Conduct periodic drills, verify Business Associate Agreements, and review access controls, encryption, and audit logging. Your Compliance Documentation should show you met Notification Deadlines, applied the Risk Assessment Criteria consistently, and implemented corrective actions to reduce future risk.

Conclusion

The HIPAA Omnibus Rule sets a clear framework: determine whether unsecured PHI was compromised, apply the risk assessment, and meet strict notification and reporting timelines. By preparing in advance—policy, process, contracts, and evidence—you can protect individuals, fulfill the Breach Notification Rule, and demonstrate compliance when it matters most.

FAQs.

What constitutes a breach under the HIPAA Omnibus Rule?

A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. If, after assessing required factors, you cannot document a low probability that the PHI was compromised—and no exception applies—the incident is a reportable breach.

How soon must breaches be reported to HHS?

For breaches affecting 500 or more individuals, report to HHS without unreasonable delay and no later than 60 calendar days after discovery. For fewer than 500 individuals, maintain a log and report to HHS within 60 days after the end of the calendar year in which the breach was discovered.

What information must be included in notification to affected individuals?

Include what happened (with breach and discovery dates), the types of PHI involved, steps individuals should take, what you are doing to investigate and mitigate, and clear contact information (such as a toll-free number, email, or address) for assistance.

When is media notification required for a breach?

Media notification is required when a breach involves 500 or more residents of a single state or jurisdiction. You must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery, in addition to sending individual notices.