HIPAA Violation Reported? How Covered Entities Investigate, Mitigate, and Notify

Definition of Breach

Under the Breach Notification Rule, a breach is an impermissible use or disclosure of Protected Health Information (PHI) that compromises the security or privacy of that information. PHI includes any individually identifiable health information in any form—paper, verbal, or electronic—created or received by a covered entity or business associate.

A breach is presumed unless you demonstrate a low probability that PHI has been compromised based on a documented Risk Assessment. “Unsecured PHI” means the data was not rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, through strong encryption and key management). If PHI is properly secured, notification typically is not required.

Four-factor risk assessment

• Nature and extent of the PHI involved (types of identifiers and likelihood of re-identification).
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, obtaining a satisfactory destruction or non-use attestation).

Exceptions that are not breaches

• Unintentional access or use by a workforce member acting in good faith within scope of authority.
• Inadvertent disclosure between authorized persons within the same covered entity or business associate.
• Disclosures where the recipient could not reasonably retain the information.

Discovery occurs on the first day the incident is known—or by exercising reasonable diligence should have been known—to the covered entity. That date starts all notification timelines.

Investigation Process

Effective Incident Response is structured, fast, and well-documented. As soon as a HIPAA violation is reported, you should open an incident record and launch a privacy–security investigation that runs in parallel with containment actions.

Step-by-step approach

• Contain and preserve: Disable exposed accounts, revoke credentials, isolate affected systems, and secure physical records. Preserve logs, emails, and device images to maintain evidence.
• Assemble the team: Engage privacy and security officers, IT, compliance, legal, and communications. If a business associate is involved, coordinate roles immediately.
• Fact-finding: Determine what happened, when it began, how it was discovered, the systems and records affected, and which individuals were impacted.
• Risk Assessment: Apply the four-factor analysis to decide whether there is a low probability of compromise or a notifiable breach.
• Decision and documentation: Conclude “breach” or “no breach,” record your rationale, and set notification requirements and deadlines. If a business associate is your agent, their knowledge can trigger your discovery date.
• Law enforcement coordination: If notification would impede an investigation, obtain a documented delay from law enforcement (written request with a specified time; oral requests permit a limited temporary delay).
• Corrective action plan: Identify root causes, implement fixes, and schedule follow-up testing to validate that risks are closed.

Keep a master timeline that captures discovery, containment, analysis, mitigation, and each notification event. This record is essential for demonstrating Covered Entity Obligations were met.

Mitigation Requirements

HIPAA requires covered entities and business associates to mitigate, to the extent practicable, any harmful effect of an impermissible use or disclosure. Your mitigation plan should be proportional to the risk and promptly executed.

• Stop the bleed: Terminate improper access, recall or delete misdirected emails, recover paper files, and remotely wipe lost devices when possible.
• Reduce downstream harm: Request recipients to return or destroy PHI; secure written attestations where feasible. Offer credit or identity monitoring when Social Security numbers or financial data were involved.
• Strengthen controls: Patch vulnerabilities, enforce multi-factor authentication, tighten minimum-necessary access, and enhance outbound filtering and DLP.
• Workforce Sanctions and retraining: Apply consistent sanctions for violations and deliver targeted training to prevent recurrence.
• Document everything: Record actions taken, dates, communications, and outcomes to evidence compliance.

Notification to Affected Individuals

You must notify each affected individual without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI. If a business associate is your agent, their discovery date can start your clock, so coordinate quickly.

Content of the notice

• A brief description of what happened, including the breach and discovery dates.
• Types of PHI involved (for example, names, addresses, dates of birth, diagnoses, account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• How to reach you for more information (toll-free number, email, or postal address).

Method of notice and substitutes

• Provide written notice by first-class mail or by email if the individual has agreed to electronic notice. For deceased individuals, notify the next of kin or personal representative when appropriate.
• If fewer than 10 individuals have insufficient or out-of-date contact information, use an alternative method such as telephone or email.
• If 10 or more individuals are unreachable, provide substitute notice via a conspicuous website posting or major media and maintain a toll-free number for at least 90 days.

At the request of law enforcement, you may delay notifications if they would impede a criminal investigation or threaten national security. Maintain documentation of any delay.

Notification to the Secretary

Health and Human Services Notification must be submitted through the designated reporting channel.

• 500 or more individuals affected: Notify the Secretary without unreasonable delay and no later than 60 calendar days from discovery.
• Fewer than 500 individuals affected: Log the breach and notify the Secretary no later than 60 days after the end of the calendar year in which the breach was discovered. You may submit each event as it occurs or as a year-end log.

Ensure your submission aligns with the facts in individual and media notices, including scope, dates, and mitigation steps.

Media Notification

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets in that area without unreasonable delay and no later than 60 days after discovery. The media notice should contain the same core elements as individual notices but must never include PHI.

Media notification supplements, and does not replace, individual notification. If substitute notice is also required because many individuals are unreachable, provide both as applicable.

Reporting by Business Associates

Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI. Business associate agreements often require faster reporting, so follow the stricter timeline when it applies.

• Provide the covered entity with the identification of each affected individual and the information needed for individual, media, and Secretary notifications.
• Coordinate on containment, Risk Assessment, and mitigation steps, and maintain thorough documentation.
• Ensure subcontractors promptly report incidents to the business associate, who then reports to the covered entity.

When a business associate acts as the covered entity’s agent, the agent’s knowledge may be imputed to the covered entity for determining discovery and deadlines. Clarify agency status in your agreement and incident playbooks.

Administrative Requirements

HIPAA’s Administrative Requirements reinforce Covered Entity Obligations and establish durable governance around breach handling. Build these controls before an incident—and refine them after every event.

Policies, procedures, and records

• Maintain written policies for incident intake, investigation, Risk Assessment, mitigation, and notifications.
• Keep breach logs, assessment worksheets, notices, law-enforcement delay letters, and decision memos for at least six years.
• Execute and manage business associate agreements that define reporting duties, timelines, and cooperation requirements.

Training, minimum necessary, and Workforce Sanctions

• Deliver role-based training on privacy, security, and incident reporting; refresh training after material changes or incidents.
• Enforce minimum-necessary access and monitor for anomalous behavior.
• Apply consistent Workforce Sanctions for violations and track completion of corrective actions.

Technical and physical safeguards

• Perform ongoing risk analysis and risk management under the Security Rule.
• Use strong encryption, multi-factor authentication, timely patching, least-privilege access, and audit logging with alerting.
• Protect paper records with secure storage, transport procedures, and destruction protocols.

In short, a reported HIPAA violation demands swift Incident Response, a defensible Risk Assessment, practical mitigation, and timely notifications to individuals, the Secretary, and the media where required—all documented to show full compliance with the Breach Notification Rule.

FAQs.

What steps are taken to investigate a HIPAA breach?

You immediately contain the issue, preserve evidence, and assemble privacy, security, legal, and communications leads. You confirm what happened, who and what were affected, and apply the four-factor Risk Assessment. You document findings, decide if the event is a notifiable breach, coordinate with any business associate, plan mitigation and remediation, and track every milestone and decision in a central incident record.

How soon must affected individuals be notified of a violation?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI. If law enforcement formally requests a delay, you may pause notice for the specified period and then proceed promptly.

What are the mitigation requirements after a HIPAA breach?

You must mitigate harmful effects to the extent practicable. Typical actions include stopping further exposure, recovering or destroying disclosed PHI, offering identity protection if sensitive data was involved, hardening security controls, retraining staff, applying Workforce Sanctions when appropriate, and documenting all steps and outcomes.

When must the Secretary of HHS be notified of a breach?

If a breach affects 500 or more individuals, you must notify the Secretary without unreasonable delay and no later than 60 days from discovery. If it affects fewer than 500 individuals, you must log the event and submit Health and Human Services Notification no later than 60 days after the end of the calendar year in which the breach was discovered.