HIPAA Section 13402: Breach Notification Requirements Explained

Overview of Section 13402

HIPAA Section 13402 of the HITECH Act—implemented through the Breach Notification Rule—requires you to notify affected parties after discovering a breach of unsecured protected health information (PHI). The rule applies to covered entities and their business associates and sets out who you must notify, when, and how.

In practice, Section 13402 activates when you confirm or reasonably suspect an incident that compromises the privacy or security of unsecured PHI. Your obligations include prompt investigation, a documented risk assessment, and time-bound notifications to individuals, the Secretary, and in some cases the media.

Who must comply

• Covered Entities: health plans, most health care providers, and health care clearinghouses.
• Business Associates: vendors and service providers that create, receive, maintain, or transmit PHI for a covered entity.

Key terms you will use

• Unsecured Protected Health Information: PHI not rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, unencrypted ePHI).
• Discovery: the date you know, or by exercising reasonable diligence should have known, of the breach.
• Notification Deadline: the outer limit—no later than 60 calendar days from discovery—by which required notifications must be sent.

Definition of a Breach

A breach is an impermissible acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule that compromises the security or privacy of the PHI. There is a presumption that an impermissible use or disclosure is a breach unless you can demonstrate a low probability that the PHI has been compromised based on a documented risk assessment.

Common exceptions (not breaches)

• Unintentional access or use by a workforce member or person acting under your authority, in good faith, within scope, with no further improper use or disclosure.
• Inadvertent disclosure by an authorized person to another authorized person within the same covered entity, business associate, or organized health care arrangement, with no further improper use or disclosure.
• Good-faith belief that the unauthorized recipient could not reasonably retain the information (for example, mailed to the wrong address and returned unopened).

Secured vs. unsecured PHI

Section 13402 applies only to breaches of unsecured PHI. If PHI is properly secured—such as by strong encryption for electronic data or by destruction methods that make data unreadable—breach notification under this rule is generally not required.

Risk Assessment Procedures

Your decision to notify hinges on whether there is a low probability that PHI was compromised. You must assess and document, at minimum, the following four factors and your overall conclusion.

The four-factor analysis

• Nature and extent of PHI involved: what identifiers were included (for example, names, SSNs, diagnoses, treatment details) and the likelihood of re-identification.
• Unauthorized person: who used the PHI or received it (for example, another covered entity vs. a member of the public) and their obligations to protect confidentiality.
• Whether PHI was actually acquired or viewed: can you determine if data was merely exposed or actually accessed, exfiltrated, or misused.
• Mitigation: how effectively you reduced risk (for example, obtaining satisfactory assurances of deletion, resetting credentials, or recovering devices).

How to run and document the assessment

• Collect facts quickly: timeline, systems involved, types and volumes of PHI, and who was affected.
• Analyze each factor and record evidence supporting your findings.
• Conclude whether notification is required; if you determine low probability of compromise, document the rationale thoroughly.
• Retain assessment records as part of your Privacy Rule compliance documentation.

Notification Timelines and Requirements

Send notifications without unreasonable delay and in no case later than 60 calendar days after discovery. Start counting on the day the breach is discovered by you or would have been discovered with reasonable diligence.

Business associate to covered entity

A business associate must notify the covered entity without unreasonable delay and no later than 60 days from discovery. The notice should identify each affected individual (if possible) and provide available facts needed for the covered entity’s notifications.

Permitted law enforcement delay

If a law enforcement official states that notice would impede a criminal investigation or threaten national security, you must delay notification for the period specified in the written statement. If the statement is oral, document it and delay for up to 30 days unless a written statement extends the delay.

Method of notice to individuals

• Written notice by first-class mail to the last known address, or by email if the individual has agreed to electronic notice.
• If fewer than 10 individuals have out-of-date or insufficient contact information, use an alternative form (for example, telephone).
• If contact information is insufficient for 10 or more individuals, provide substitute notice via a conspicuous website posting or major print/broadcast media in the relevant area and maintain a toll-free number for at least 90 days.

Notification to Individuals and Secretary

Content of the individual notice

• A brief description of what happened, including the breach and discovery dates.
• Types of unsecured protected health information (PHI) involved (for example, name, SSN, financial data, clinical details).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent a recurrence.
• Contact information for questions (toll-free number, email, or postal address).

Notice to the Secretary

• Breaches affecting 500 or more individuals: notify the Secretary without unreasonable delay and no later than 60 days from discovery.
• Breaches affecting fewer than 500 individuals: log them and submit to the Secretary no later than 60 days after the end of the calendar year in which they were discovered.

Covered entities are responsible for notifications to individuals and the Secretary. Business associates must support investigations and provide timely details, and may send notifications on your behalf if your business associate agreement assigns that role.

Media Notification Obligations

If a breach affects more than 500 residents of a state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days from discovery. This is in addition to individual notifications and the report to the Secretary.

The media notice should mirror the core content of the individual notice and be written in clear, plain language. Media notification is distinct from “substitute notice” used when 10 or more individuals are unreachable; you may need to do both in some events.

Mitigation and Investigation Measures

Act immediately to contain and investigate. Secure affected systems or locations, preserve logs and evidence, and coordinate with security, privacy, and legal teams. If a business associate is involved, activate the breach provisions in your agreement and exchange facts quickly.

• Mitigation: reset credentials, disable compromised accounts, patch vulnerabilities, and consider remedies such as credit monitoring or identity protection where appropriate.
• Workforce measures: retrain staff, address process gaps, and apply sanctions when policies were violated to support Privacy Rule compliance.
• Prevention: strengthen encryption and device controls, tighten access management, and rehearse incident response.
• Documentation: maintain the investigation record, risk assessment, decision to notify or not, copies of notices, and remediation plans for required retention periods.

FAQs.

What constitutes a breach under HIPAA Section 13402?

A breach is an impermissible acquisition, access, use, or disclosure of PHI that violates the Privacy Rule and compromises the PHI’s security or privacy. Unless you can show a low probability of compromise after a documented risk assessment, an impermissible disclosure is presumed to be a reportable breach of unsecured PHI.

When must covered entities notify the Secretary of a breach?

If a breach affects 500 or more individuals, notify the Secretary without unreasonable delay and no later than 60 days from discovery. If fewer than 500 individuals are affected, record the breach and submit it to the Secretary no later than 60 days after the end of the calendar year in which the breach was discovered.

What information must be included in a breach notification?

Include what happened (with breach and discovery dates), the types of unsecured protected health information involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate harm and prevent recurrence, and clear contact information for questions.

When is media notification required for a breach?

Media notification is required when a breach affects more than 500 residents of a single state or jurisdiction. You must notify prominent media outlets serving that area without unreasonable delay and within 60 days of discovery, in addition to notifying individuals and the Secretary.