HITECH Act Breach Notification Requirements: Examples, Timelines, and Penalty Avoidance

Definition of Breach

Under the HIPAA Breach Notification Rule, a breach is an impermissible use or disclosure of unsecured Protected Health Information (PHI) that compromises its privacy or security. “Unsecured” means the PHI has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through technologies such as strong encryption or proper destruction.

Three narrow exceptions are not considered breaches: (1) good‑faith, unintentional access or use by a workforce member within scope of authority; (2) inadvertent disclosure from one authorized person to another within the same organization; and (3) a good‑faith belief that the recipient could not have retained the information. De‑identified data is outside these requirements, while limited data sets remain PHI.

Examples

• Lost, encrypted laptop: If encryption meets recognized standards, no breach notification is required.
• Misdirected discharge papers mailed to the wrong patient: Breach requiring notice to the affected individual.
• Ransomware that encrypts ePHI: Presumed breach unless a documented assessment shows a low probability of compromise.
• Employee snooping on a family member’s record: Unauthorized access resulting in a breach.

Covered Entities and Business Associates must evaluate incidents consistently and document their rationale, because notification obligations turn on whether PHI was unsecured and actually compromised.

Conducting Risk Assessments

Impermissible uses or disclosures are presumed breaches unless you demonstrate a low probability of compromise through a documented, case‑specific risk assessment. Apply the four Risk Assessment Factors to every incident and retain the analysis.

The four Risk Assessment Factors

• Nature and extent of PHI involved, including types of identifiers and the likelihood of re‑identification.
• The unauthorized person who used the PHI or to whom the disclosure was made, and whether they are obligated to protect it.
• Whether the PHI was actually acquired or viewed (not just potentially exposed).
• The extent to which the risk has been mitigated (for example, confirmed destruction or retrieval, or binding confidentiality assurances).

Practical workflow

• Contain the incident immediately and preserve evidence (logs, emails, device IDs).
• Identify the PHI elements affected and the systems, users, and Business Associates involved.
• Analyze each factor with objective evidence; avoid boilerplate conclusions.
• Decide whether notification is required; record dates, decisions, and approvers.
• Implement corrective actions to prevent recurrence; track to completion.

Notification Timelines

You must notify without unreasonable delay and by specific outside deadlines that start on the date of discovery (the day the incident is known, or should reasonably have been known).

• Affected individuals: Without unreasonable delay and no later than 60 calendar days after discovery.
• Business Associates to Covered Entities: Without unreasonable delay and no later than 60 days; many Business Associate Agreements require shorter periods.
• Secretary of Health and Human Services (HHS): For incidents affecting 500 or more individuals, within 60 days of discovery; for fewer than 500, no later than 60 days after the end of the calendar year in which the breach was discovered.
• Media outlets: For breaches affecting 500 or more residents of a state or jurisdiction, within 60 days of discovery.

If state law imposes a shorter timeline for certain data types, follow the stricter standard while still meeting federal obligations.

Notification to Affected Individuals

Method and format

• Provide written notice by first‑class mail or by email if the individual has agreed to electronic notice.
• If there is insufficient or out‑of‑date contact information for fewer than 10 individuals, use an alternative method such as telephone.
• If there is insufficient or out‑of‑date contact information for 10 or more individuals, provide substitute notice via a prominent website posting or major print/broadcast media for at least 90 days, and maintain a toll‑free number active for the same period.
• For imminent misuse, supplement with urgent telephone or other means.

Required content

• A brief description of what happened, including the breach and discovery dates.
• The types of unsecured PHI involved (for example, names, diagnoses, Social Security numbers).
• Steps individuals should take to protect themselves (such as placing fraud alerts or changing portal passwords).
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• Contact information, including a toll‑free number, email, and mailing address.

Notification to Media Outlets

When a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area. Issue the notice without unreasonable delay and no later than 60 calendar days after discovery. The content must mirror the individual notice and be written in clear, plain language.

Notification to HHS

You must notify the Secretary of Health and Human Services through the designated breach reporting process. For incidents involving 500 or more individuals, submit within 60 days of discovery. For fewer than 500, maintain a breach log and submit no later than 60 days after the end of the calendar year.

Information typically included

• Covered Entity or Business Associate identity and point of contact.
• Number of individuals affected and the PHI elements involved.
• Incident description, dates, and the likely cause (for example, theft, hacking, improper disposal).
• Mitigation, remediation steps, and safeguards implemented to prevent recurrence.

Penalties and Penalty Tiers

Under the HITECH Act, Tiered Civil Monetary Penalties scale with culpability and the extent of noncompliance. OCR evaluates whether the entity exercised reasonable diligence, whether the violation resulted from reasonable cause or willful neglect, and whether the entity corrected within 30 days.

The four tiers at a glance

• Tier 1: No knowledge—violations the entity could not have known with reasonable diligence.
• Tier 2: Reasonable cause—violations due to genuine, non‑willful neglect.
• Tier 3: Willful neglect corrected within the required timeframe.
• Tier 4: Willful neglect not corrected—highest penalties and enforcement exposure.

Penalties apply per violation and may include annual caps by tier. OCR also considers aggravating and mitigating factors such as the number of individuals affected, duration, harm, prior history, cooperation, and financial condition. Beyond monetary penalties, expect corrective action plans, external monitoring, and ongoing reporting.

Strategies for Avoiding Penalties

• Encrypt all ePHI at rest and in transit; properly destroy media to avoid “unsecured” PHI.
• Perform and document risk analyses and targeted incident risk assessments using the four factors; retain records and decisions.
• Harden identity and access: unique IDs, role‑based access, multifactor authentication, automatic logoff, and routine access reviews.
• Strengthen detection and response: centralized logging, alerting, tested incident response plans, and ransomware‑ready, immutable backups.
• Train the workforce regularly; enforce sanctions for snooping and other violations.
• Manage Business Associates: execute robust Business Associate Agreements, set short breach‑reporting timeframes, and verify safeguards.
• Minimize PHI use and retention; apply the minimum necessary standard and secure disposal.
• Rehearse notifications with templates and approvals so you can meet the 60‑day window without errors.

FAQs

What constitutes a breach under the HITECH Act?

A breach is an impermissible use or disclosure of unsecured Protected Health Information that compromises its privacy or security. Unless a documented four‑factor assessment shows a low probability of compromise—or a narrow exception applies—you must treat the incident as a breach and proceed with notifications.

How soon must a breach be reported under the HITECH Act?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500 or more individuals, notify HHS and, if 500 or more residents of a state or jurisdiction are involved, the media within the same 60‑day outer limit. Breaches involving fewer than 500 individuals must be reported to HHS no later than 60 days after the end of the calendar year.

Who must receive breach notifications under the HITECH Act?

Affected individuals always receive notice. For incidents affecting 500 or more residents of a state or jurisdiction, prominent media outlets serving that area must also be notified. HHS must be notified for all breaches—within 60 days for 500 or more individuals, or annually for fewer than 500. Business Associates notify the Covered Entity, which then notifies individuals unless otherwise delegated.

What are the penalties for failing to comply with breach notification requirements?

OCR can impose Tiered Civil Monetary Penalties that escalate based on culpability, from no‑knowledge violations through willful neglect not corrected. Penalties apply per violation and may reach significant totals when multiplied across individuals and days, and they may be accompanied by corrective action plans, monitoring, and reputational consequences.