HIPAA Rights Violated? Requirements, Risk Mitigation, and Notification Timelines

If you suspect an improper use or disclosure of Protected Health Information (PHI), understanding the HIPAA Breach Notification Rule helps you act quickly and confidently. This guide—HIPAA Rights Violated? Requirements, Risk Mitigation, and Notification Timelines—explains what counts as a breach, how to assess risk, and who must notify whom and when.

The obligations below apply to Covered Entities (health plans, most providers, and clearinghouses) and their Business Associates that handle PHI. You’ll see where PHI Risk Assessment, Breach Mitigation, and Notification Timelines fit into real-world response steps.

Definition of Breach

A HIPAA breach is any acquisition, access, use, or disclosure of PHI not permitted by the Privacy Rule that compromises the security or privacy of the information. Both paper and electronic PHI (ePHI) are covered.

HIPAA presumes an impermissible use or disclosure is a breach unless the organization demonstrates—through a documented risk assessment—that there is a low probability the PHI was compromised. If the presumption cannot be overcome, breach notification obligations apply.

Risk Assessment Factors

To determine whether there is a low probability of compromise, HIPAA requires a PHI Risk Assessment that, at minimum, evaluates four factors:

• Nature and extent of PHI involved: the types of identifiers exposed, clinical sensitivity, and the likelihood of re-identification.
• Unauthorized person: who received or accessed the PHI and whether that person is obligated to protect confidentiality (for example, another Covered Entity).
• Whether PHI was actually acquired or viewed: indications of access, download, copying, or mere exposure without access.
• Mitigation actions: steps taken to reduce risk, such as securing return or destruction of PHI, remote wipe, or verified containment.

Covered Entities and Business Associates must document this analysis. If risk remains more than low, the event is a breach and triggers the Breach Notification Rule.

Breach Notification Requirements

When a breach occurs, notifications must be provided without unreasonable delay and in no case later than 60 calendar days from discovery. “Discovery” occurs on the first day the breach is known—or should reasonably have been known—by the organization. These Notification Timelines are strict and run even while an investigation is ongoing.

• To individuals: Covered Entities must notify affected individuals by first-class mail (or email if the person agreed). The notice must describe what happened, dates, types of PHI involved, steps individuals should take, the organization’s Breach Mitigation and prevention measures, and how to contact the entity.
• From Business Associates to Covered Entities: Business Associates must notify the Covered Entity without unreasonable delay and no later than 60 days, including identities of affected individuals and available facts so the Covered Entity can notify others.
• Substitute notice: If contact information is insufficient for fewer than 10 people, use an alternative method (e.g., phone). If 10 or more are unreachable, provide a conspicuous website posting or media substitute notice and a toll-free number for at least 90 days.

In parallel with notification, entities must continue Breach Mitigation, such as containment, recovery, offering protective services where appropriate, and correcting security gaps to prevent recurrence.

Notification to HHS

In addition to individual notice, HIPAA requires reporting to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights:

• Breaches affecting 500 or more individuals: report to HHS without unreasonable delay and no later than 60 calendar days from discovery.
• Breaches affecting fewer than 500 individuals: log the incident and report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.

Covered Entities submit the report; Business Associates report to their Covered Entities, which then fulfill the HHS obligation unless contract terms specify otherwise.

Media Notification

If a breach affects 500 or more residents of a single state or jurisdiction, the Covered Entity must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days. This media notice supplements, not replaces, individual notices.

Exceptions to Breach Definition

HIPAA identifies three narrow exceptions where an impermissible use or disclosure is not a breach:

• Unintentional access or use by a workforce member acting in good faith and within the scope of authority, with no further improper use or disclosure.
• Inadvertent disclosure between two authorized persons within the same organization (or organized health care arrangement), with no further improper use or disclosure.
• Good-faith belief that the unauthorized recipient could not reasonably have retained the information (for example, sealed mail returned unopened).

Even when an exception may apply, document the rationale and any mitigation taken to safeguard PHI.

Encryption Safe Harbor

Under HIPAA guidance, PHI that is properly “secured”—for example, encrypted to strong, industry-recognized standards with keys protected—or destroyed so it is unusable, unreadable, or indecipherable to unauthorized persons is not subject to breach notification if the safeguards were intact and keys were not compromised.

Apply end-to-end encryption for ePHI in transit and at rest, manage keys separately, and decommission data by secure deletion or media destruction. These controls reduce breach likelihood and may invoke the encryption safe harbor, minimizing notice obligations while strengthening overall Breach Mitigation.

Bottom line: know what qualifies as a breach, perform a documented PHI Risk Assessment, act within the Notification Timelines, and harden systems—especially with strong encryption—to reduce impact when HIPAA rights are at stake.

FAQs.

What steps should I take if my HIPAA rights are violated?

Document what happened and when, save any notices, and contact the provider or plan’s privacy officer to request an explanation and corrective action. Ask for an accounting of disclosures, place fraud alerts or credit monitoring if sensitive identifiers were exposed, and change portal passwords. You may file a complaint with HHS OCR, and if identity theft is suspected, notify your insurer and appropriate authorities.

When must a breach be reported to HHS?

For breaches affecting 500 or more individuals, the Covered Entity must report to HHS without unreasonable delay and no later than 60 calendar days from discovery. For fewer than 500, the entity must log the incident and report to HHS within 60 days after the end of the calendar year in which the breach was discovered.

Are there exceptions to what counts as a HIPAA breach?

Yes. HIPAA excludes certain good-faith, within-scope workforce accesses; inadvertent disclosures between authorized persons within the same organization; and situations where the recipient could not reasonably have retained the information. Outside these narrow exceptions, the event is presumed a breach unless a risk assessment shows a low probability of compromise.

How is PHI encryption relevant to breach notifications?

If PHI is encrypted consistent with recognized standards and the encryption keys were not compromised, the information is considered “secured” and generally falls under HIPAA’s encryption safe harbor. In that case, the incident may not trigger breach notifications, though you should still investigate, document, and remediate any underlying security gaps.