HIPAA Requires Covered Entities to Notify Individuals: A Compliance Checklist

When unsecured Protected Health Information (PHI) is compromised, the HIPAA Breach Notification Rule requires you to notify affected individuals—and sometimes regulators and the media. Use this step‑by‑step compliance checklist to determine whether an incident is a breach, assess risk, and deliver timely, complete notifications.

Definition of Breach

A breach is the impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy. A breach is presumed unless you demonstrate a low probability that PHI was compromised based on a documented analysis. If PHI is secured under the Encryption Safe Harbor or properly destroyed, breach notification is not required.

Key exceptions and Encryption Safe Harbor

• Unintentional, good‑faith access or use by an authorized workforce member within scope of authority, with no further impermissible use.
• Inadvertent disclosure between two authorized persons within the same covered entity or business associate, with no further disclosure.
• Disclosures where the recipient could not reasonably retain the information.
• Encryption Safe Harbor: PHI encrypted to recognized standards (and keys not compromised) is considered secured and outside notification requirements.

Checklist

• Confirm the data is PHI and the action was not permitted by HIPAA.
• Determine whether PHI was secured (Encryption Safe Harbor) or destroyed.
• Assess whether an exception applies and document your rationale.
• If not excepted or secured, treat the incident as a presumed breach and proceed to risk assessment.

Conducting a Risk Assessment

To rebut the breach presumption, you must evaluate specific Risk Assessment Criteria and document why there is a low probability that PHI was compromised. Your analysis must be thorough, evidence‑based, and retained as part of Breach Documentation.

Risk Assessment Criteria

• Nature and extent of PHI: sensitivity, types of identifiers, and likelihood of re‑identification.
• Unauthorized person: who received or accessed the PHI and their legal/contractual obligations to protect it.
• Whether PHI was actually acquired or viewed versus merely exposed or at risk.
• Mitigation: extent to which risk was reduced (e.g., swift retrieval, confirmation of non‑access, confidentiality assurances).

Checklist

• Start the clock on the date of discovery (when you knew or reasonably should have known of the incident).
• Preserve evidence (logs, device details, emails) and assign an incident lead.
• Analyze each factor, conclude overall risk (low or not low), and justify the decision in writing.
• Store all Breach Documentation, including your assessment and decision, for at least six years.

Notification to Individuals

If your assessment does not establish a low probability of compromise, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Use first‑class mail to the last known address or email if the individual has agreed to electronic notice. For urgent situations, you may also notify by telephone or other means.

Required content

• A brief description of what happened, including the breach date and discovery date (if known).
• Types of PHI involved (e.g., names, diagnoses, Social Security numbers, account data).
• Steps individuals should take to protect themselves (e.g., monitor accounts, place fraud alerts).
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• Contact methods for questions (toll‑free number, email, and postal address).

Checklist

• Draft clear, plain‑language notices and translate if needed.
• Send notices without unreasonable delay and track the day‑60 deadline from discovery.
• Retain copies of notices, recipient lists, and proof of delivery for Breach Documentation.
• Use telephone or other expedient methods when there is potential imminent misuse.

Notification to the Secretary

Secretary of Health and Human Services Reporting depends on the number of affected individuals. Timing differs for breaches affecting 500 or more versus fewer than 500 individuals.

Thresholds and timing

• 500 or more individuals: notify the Secretary without unreasonable delay and no later than 60 calendar days after discovery.
• Fewer than 500 individuals: log the breach and submit an annual report to the Secretary no later than 60 days after the end of the calendar year in which the breach was discovered.

Checklist

• Determine the count of affected individuals and select the correct reporting path.
• Ensure the Secretary submission aligns with the details provided to individuals.
• Retain submission confirmations and correspondence as part of Breach Documentation.

Media Notification

If a breach involves 500 or more residents of a single state or jurisdiction, you must also notify prominent media outlets serving that area. Issue the media notice without unreasonable delay and no later than 60 calendar days after discovery, and ensure its content mirrors the individual notices.

Checklist

• Verify whether 500 or more residents of any state or jurisdiction are affected.
• Prepare a clear press release consistent with individual notifications and designate a spokesperson.
• Release within the required timeframe and archive the published notice for your records.

Substitute Notice Procedures

When contact information is insufficient or out of date, you must follow Substitute Notice Requirements to reach affected individuals. The method depends on how many individuals lack valid contact information.

Substitute Notice Requirements

• Fewer than 10 individuals: provide substitute notice by alternative written means, telephone, or another reasonable method.
• 10 or more individuals: provide conspicuous posting on your website home page for at least 90 days or notice in major print/broadcast media where affected individuals likely reside.
• For 10 or more, include a toll‑free number active for at least 90 days so individuals can confirm whether their information was involved.

Checklist

• Count individuals with invalid contact information to select the correct substitute method.
• Maintain the required 90‑day website posting or toll‑free line and log inquiries.
• Keep attempting direct notice if updated addresses become available.

Business Associate Notification

Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 calendar days after discovery. The notice must identify each affected individual and, to the extent possible, include the information needed for individual notifications. Subcontractors must pass breach information up to the business associate promptly.

Checklist

• Require prompt reporting from business associates and subcontractors in your agreements.
• Obtain necessary details (what happened, PHI types, affected individuals) to meet notice content rules.
• Coordinate investigation and mitigation steps; record actions and decisions for Breach Documentation.
• Review and update business associate agreements to clarify timelines, security controls, and audit rights.

By following this compliance checklist, you satisfy the core obligations of the Breach Notification Rule, protect individuals, and maintain defensible Breach Documentation. Strong prevention and the Encryption Safe Harbor reduce notification risk, but they never replace timely reporting and clear communication when incidents occur.

FAQs.

What constitutes a reportable breach under HIPAA?

A reportable breach is any impermissible use or disclosure of unsecured PHI that compromises its security or privacy. A breach is presumed unless your documented risk assessment shows a low probability of compromise. Incidents meeting an exception or covered by the Encryption Safe Harbor are not reportable.

How soon must individuals be notified of a breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Discovery is the date the breach is known—or should reasonably have been known—to your organization. For urgent risks of harm, use telephone or other expedient methods in addition to written notice.

When is media notification required for a HIPAA breach?

Media notification is required when a breach involves 500 or more residents of a single state or jurisdiction. The notice must be issued without unreasonable delay and in no case later than 60 calendar days after discovery, and it should align with the content of individual notices.

What documentation must covered entities maintain for breach notifications?

Maintain Breach Documentation for at least six years, including the incident report, your risk assessment and conclusion, mitigation steps, copies of individual notices, proof of delivery, substitute notice records (e.g., 90‑day website posting and toll‑free line logs), media notices, and Secretary of Health and Human Services reporting confirmations, plus all communications with business associates.