HITECH Act Breach Notification Requirements: Healthcare Examples and Enforcement Actions

Breach Notification Requirements

The HITECH Act’s Breach Notification Rule requires covered entities and business associates to notify affected individuals after a breach of unsecured protected health information (PHI). A breach is an acquisition, access, use, or unauthorized disclosure of PHI not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the data.

Determining whether an incident is a breach

• Apply the four-factor risk assessment: (1) the nature and extent of PHI involved, (2) the unauthorized person who used or received it, (3) whether PHI was actually viewed or acquired, and (4) the extent to which risks have been mitigated.
• Exceptions include good-faith, unintentional access by a workforce member within scope, inadvertent disclosures between authorized persons, and disclosures where the recipient could not reasonably retain the information.
• Encrypted PHI meeting recognized standards is not considered “unsecured,” so notification is generally not required if the data remain strongly encrypted.

Timelines and method of individual notice

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. “Discovery” occurs when the incident is known or should reasonably have been known to the organization.
• Provide written notice by first‑class mail (or email if the individual has agreed). The notice must describe what happened, the types of PHI involved, steps individuals should take, what you are doing to mitigate harm and prevent recurrence, and contact information.
• If contact information is insufficient for fewer than 10 people, use alternative means like telephone. If it is insufficient for 10 or more, provide substitute notice via a conspicuous website posting for at least 90 days or a major print/broadcast media announcement, plus a toll‑free number.
• Law enforcement delays are permitted when an authorized official states that notice would impede an investigation; document the request and resume notifications when cleared.

Healthcare examples

• Misdirected discharge paperwork containing PHI to another patient (unauthorized disclosure): risk assessment shows high likelihood of compromise; send individual notices within 60 days and implement extra discharge controls.
• Phishing email exposes inboxes with appointment schedules and diagnoses: engage forensics, evaluate whether messages were accessed, provide timely notifications, offer credit monitoring where appropriate, and harden email security.
• Lost unencrypted laptop with treatment records: notify promptly, deploy full‑disk encryption, and retrain staff on device handling.

Reporting to HHS

Covered entities must report breaches to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR); business associates report to the covered entity unless the agreement assigns reporting authority.

• Breaches affecting 500 or more individuals: report to HHS without unreasonable delay and no later than 60 days after discovery.
• Breaches affecting fewer than 500 individuals: log each incident and submit a summary report to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered.
• Reports should include the incident description, the number of affected individuals, the types of PHI involved, mitigation steps, and your corrective action plan.

Media Notification Obligations

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. The content should mirror the individual notice and provide a means for questions.

Media may also be used for substitute notice when you lack contact information for 10 or more affected individuals. Keep substitute web postings active for at least 90 days and provide a toll‑free number during that period.

Business Associate Responsibilities

Business associates play a central role in breach response and must meet specific obligations under the Breach Notification Rule.

• Notify the covered entity without unreasonable delay and no later than 60 days after discovery. Many business associate agreements (BAAs) require even shorter internal deadlines (for example, 5–15 days).
• Provide the identification of each affected individual and information the covered entity needs to complete notices, including incident facts, PHI types, and mitigation undertaken.
• Flow‑down obligations: require subcontractors to protect PHI and to report incidents to the business associate so notices can be coordinated.
• Coordinate message content, timing, and HHS reporting with the covered entity to avoid conflicting communications.

Enforcement and Penalties

OCR enforces breach notifications through investigations, resolution agreements with corrective action plans, and civil monetary penalties. Penalty tiers escalate based on culpability—from violations where the entity did not know and could not reasonably have known, to willful neglect not corrected within the required time.

• Key penalty drivers include untimely notifications, failure to conduct an enterprise‑wide risk analysis, inadequate access controls, lack of encryption for portable devices, insufficient workforce training, and poor business associate oversight.
• Willful neglect triggers the highest exposure and may lead to mandatory investigations and substantial civil monetary penalties. Amounts are adjusted for inflation, and per‑violation and annual caps apply.
• Corrective action plans typically require risk analysis, risk management, policy updates, training, auditing, and reporting to OCR for a defined period.

Notable Enforcement Examples

• Delayed notification after phishing incident: An entity took more than 60 days to notify, lacked multi‑factor authentication, and had incomplete risk analysis. Outcome included a settlement with a multi‑year corrective action plan and significant civil monetary penalties.
• Unsecured cloud storage by a business associate: A misconfigured database exposed PHI. OCR focused on the covered entity’s vendor oversight, BAA deficiencies, and access controls, resulting in a settlement and mandated vendor risk management improvements.
• Lost unencrypted devices: A provider reported repeated losses of unencrypted laptops and USB drives. OCR cited failure to implement encryption and device tracking, leading to a monetary settlement and mandatory enterprise encryption.

State Law Considerations

HIPAA generally preempts contrary state laws, but more stringent state privacy or breach‑notification requirements still apply. Many states impose shorter notice timelines (for example, 30 or 45 days), broader definitions of personal information, or additional regulator/attorney‑general reporting obligations.

• When both HIPAA/HITECH and state laws apply, use the most stringent rule across all affected jurisdictions, especially for timing and content of notices.
• State thresholds and recipients vary; some require notifying consumer reporting agencies or specific regulators depending on the breach size.
• Multi‑state incidents benefit from a jurisdictional matrix that tracks deadlines, content requirements (such as offering credit monitoring), and language mandates.

Conclusion

The HITECH Act’s Breach Notification Rule sets clear expectations: assess incidents quickly, notify individuals, report to HHS, engage the media when thresholds are met, and coordinate closely with business associates. Timely action, strong documentation, and disciplined security practices reduce harm, limit enforcement exposure, and demonstrate compliance.

FAQs.

What are the HITECH Act breach notification timelines?

You must notify affected individuals without unreasonable delay and no later than 60 days after discovery. For breaches affecting 500 or more individuals, notify HHS within the same 60‑day window; for fewer than 500, submit an annual report to HHS within 60 days after the end of the calendar year. Media notice is required within 60 days if 500 or more residents of a state or jurisdiction are affected.

Who must report breaches under the HITECH Act?

Covered entities are responsible for reporting to individuals, HHS, and the media when required. Business associates must notify the covered entity of breaches of unsecured PHI and provide the details needed to complete notifications; BAAs may assign additional or faster reporting duties.

What penalties apply for non-compliance with breach notifications?

OCR can require corrective action plans and impose civil monetary penalties that scale by culpability, with the highest tier reserved for willful neglect not corrected in a timely manner. Factors include notification delays, lack of risk analysis, insufficient safeguards, and inadequate business associate oversight.

How do state laws affect HITECH Act breach notifications?

State laws that are more stringent than HIPAA/HITECH are not preempted. Many states require faster notice, different content, or regulator and attorney‑general reporting. In multi‑state incidents, apply the strictest applicable requirement to ensure compliance across jurisdictions.