HIPAA's 24-Hour Breach Notification Rule for Business Associates: What's Required and How to Comply

Overview of Breach Notification Rule

The HIPAA Breach Notification Rule requires prompt action when Protected Health Information (PHI) is compromised. Covered entities must notify affected individuals, and business associates must notify their covered entity partners without unreasonable delay. While HIPAA sets an outside limit of 60 days after discovery for required notices, many organizations adopt a 24-hour standard by contract to meet operational needs and tighter Notification Timelines.

In practice, the “24-hour rule” comes from Business Associate Agreements (BAAs). These contracts translate HIPAA’s “prompt” requirement into a concrete clock, often requiring initial notice within 24 hours of discovery of a suspected or confirmed breach involving Unsecured PHI. Your compliance program should be built to meet the strictest obligation that applies—your BAAs, state law, and HIPAA—so you can notify quickly and accurately.

Business Associate Notification Obligations

Business associates must notify the covered entity when they discover an impermissible use or disclosure of Unsecured PHI that may constitute a breach. Discovery begins the day any workforce member or agent knows—or reasonably should know—of the incident. Weekends, holidays, or after-hours discoveries still start the clock, so 24/7 escalation is essential.

To comply with a 24-hour standard, establish a clear playbook that: (1) distinguishes routine security events from potential breaches; (2) triggers immediate internal escalation to privacy, security, and legal; (3) captures essential facts quickly; and (4) delivers an initial notice to the covered entity with available details and a plan for rolling updates. BAAs typically require business associates to ensure subcontractors flow down the same duties and timelines.

Your initial notice should identify the incident, affected systems, the types of Protected Health Information (PHI) potentially involved, the date of discovery, mitigation steps taken, and known or suspected impact. If you do not yet know the identities of all affected individuals, disclose what you know and commit to provide updates as soon as reasonably available.

Contractual Notification Timelines

BAAs convert flexible regulatory language into precise Notification Timelines so covered entities can meet downstream duties. Common patterns include: (a) initial notice to the covered entity within 24 hours of discovery of a suspected breach; (b) more detailed updates within 48–72 hours; and (c) final incident reports once the investigation is complete. Some BAAs also require immediate notice (for example, one hour) for ransomware or data exfiltration events.

Build your operations around the most aggressive timeline you face. Practical steps include: pre-approved notification templates, an always-on incident bridge, an executive decision matrix for rapid triage, and scripted communications for counsel and insurance. Align internal SLAs with BAA timelines and state-law triggers so you never miss a contractual or legal deadline.

Rolling notification is acceptable and often expected: deliver an initial, good-faith notice within 24 hours with the facts known at that time, then issue structured updates as your risk assessment matures. Document each touchpoint so the covered entity can meet its own obligations to individuals, the Secretary of Health and Human Services (HHS), and, if applicable, the media.

Defining a Breach of PHI

A breach is an impermissible use or disclosure of Unsecured PHI that compromises the privacy or security of the information. PHI is “unsecured” when it is not rendered unusable, unreadable, or indecipherable to unauthorized persons—typically through strong encryption or proper destruction. If PHI is properly encrypted at the time of loss, the incident generally does not constitute a breach.

HIPAA presumes a breach unless a documented assessment shows a low probability that PHI was compromised. Limited exceptions exist, including certain unintentional workforce access within authority, inadvertent disclosures between similarly authorized personnel, or disclosures where there is a good-faith belief the recipient could not retain the information. Always test facts against these exceptions, but do not delay initial notice while you evaluate them if a 24-hour BAA clock is running.

Examples that often meet the breach threshold include exfiltration of ePHI by malware, misdirected emails containing diagnoses or medical record numbers, or theft of an unencrypted laptop with PHI. Edge cases—such as brief, unauthorized access with no evidence of viewing—still require a documented analysis of Risk Assessment Factors before ruling out breach status.

Conducting Risk Assessments

HIPAA requires a risk-of-compromise assessment using four core Risk Assessment Factors. Your documentation should be decision-ready for counsel and the covered entity and should support both rapid initial notifications and final determinations.

The four factors

• Nature and extent of PHI involved, including types of identifiers and the likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made (for example, a trusted provider vs. an unknown actor).
• Whether the PHI was actually acquired or viewed (not just potentially accessible).
• The extent to which risks have been mitigated (for example, confirmed deletion, robust containment, or reliable recipient attestations).

Executing a 24-hour triage

• Within hours 0–6: contain the incident, preserve logs, snapshot affected systems, and convene privacy, security, and legal.
• Hours 6–12: identify PHI elements involved, map affected populations, and assess whether Unsecured PHI was exposed.
• By hour 24: deliver an initial, good-faith notification to the covered entity with known facts, preliminary Risk Assessment Factors, and a mitigation plan.

Continue analysis after the initial notice. Update findings at 48–72 hours and upon closure. Retain evidence, timelines, and sign-offs by the privacy or compliance officer so you can demonstrate diligence if audited.

Notification Content Requirements

For business associate-to–covered entity notices

• Brief description of what happened, including the date of the breach and the date of discovery, if known.
• Types of Unsecured PHI involved (for example, names, addresses, diagnoses, treatment information, medical record numbers, billing data).
• Preliminary count or range of affected individuals and how you will refine it.
• Steps already taken to contain and mitigate harm, and whether law enforcement has been engaged.
• Planned next steps, including investigation milestones and expected Notification Timelines for updates.

For covered entity notices to individuals (prepared with BA input)

• Plain-language summary of what happened and when it was discovered.
• Specific PHI elements involved and potential risks to the individual.
• Actions individuals should take to protect themselves (for example, monitoring, password changes, fraud alerts).
• What the entity is doing to investigate, mitigate, and prevent future incidents.
• How to get assistance (toll-free number, email, website, or postal address).

Maintain version control of all notifications, ensure accuracy against your risk assessment, and align distribution methods (mail, email, substitute notice) with regulatory requirements. Your BAAs should state who drafts which notices and how quickly drafts and approvals must circulate.

Reporting to HHS and Media Notification

Covered entities must report breaches of Unsecured PHI to the Secretary of Health and Human Services (HHS). For incidents affecting 500 or more individuals in a single state or jurisdiction, reporting to HHS and notification to prominent media outlets must occur without unreasonable delay and no later than 60 days from discovery. For fewer than 500 individuals, entities maintain a breach log and submit it to HHS no later than 60 days after the end of the calendar year in which the breaches occurred.

Media notification is required only when a breach affects 500 or more residents of a state or jurisdiction. The media notice should mirror the individual notification content and be coordinated with counsel and incident response leaders to avoid conflicting messages. Business associates support these steps by supplying accurate counts, timelines, and content, consistent with their BAAs.

Conclusion

HIPAA sets the framework; BAAs make it operational. Treat the 24-hour breach notification standard as a contractual performance requirement designed to satisfy HIPAA’s “without unreasonable delay” mandate and varied state obligations. Build for speed with clear playbooks, rigorous risk assessments, and disciplined Notification Timelines so you can notify covered entities, individuals, HHS, and the media accurately and on time.

FAQs.

What triggers the 24-hour breach notification rule?

Most often, your Business Associate Agreements (BAAs) do. They typically require an initial notice to the covered entity within 24 hours after you discover a suspected or confirmed breach involving Unsecured PHI. Discovery begins when any workforce member or agent becomes aware of facts that reasonably indicate a potential breach.

How do business associates conduct a risk assessment?

Use HIPAA’s four Risk Assessment Factors: evaluate the nature and extent of PHI involved, who received or accessed it, whether it was actually acquired or viewed, and how effectively risks were mitigated. Document facts, decisions, and timelines, and issue rolling updates so the covered entity can meet its Notification Timelines.

What information must be included in breach notifications?

Notifications should explain what happened and when, the types of PHI involved, steps individuals should take, what the organization is doing to investigate and mitigate harm, and how to get help. For BA-to–covered entity notices, also include preliminary counts, containment actions, and planned investigation milestones.

When is media notification required?

Media notification applies when a breach affects 500 or more residents of a single state or jurisdiction. It must be issued without unreasonable delay and no later than 60 days from discovery, in coordination with reporting to the Secretary of Health and Human Services (HHS) and individual notifications.