HITECH Act Breach Notification Rule: Requirements, Timelines, and Compliance Guide

Breach Notification Requirements

What triggers the rule

The HITECH Act Breach Notification Rule requires you to notify specific parties after a breach of unsecured protected health information. It applies to covered entities and their business associates whenever an impermissible use or disclosure compromises the privacy or security of PHI.

What counts as unsecured PHI

Unsecured protected health information is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through approved encryption or destruction. If PHI is properly encrypted or destroyed, the incident generally falls outside the breach notification rule.

Exceptions to “breach”

• Unintentional access or use by a workforce member acting in good faith within scope of authority, with no further improper disclosure.
• Inadvertent disclosure by an authorized person to another authorized person within the same covered entity, business associate, or organized health care arrangement.
• A good-faith belief that the unauthorized recipient could not reasonably retain the information.

Conduct the risk assessment

You must document a risk assessment to determine whether there is a low probability that PHI has been compromised. Evaluate: (1) the nature and extent of PHI involved, (2) the unauthorized person who used or received the data, (3) whether the PHI was actually viewed or acquired, and (4) the extent of mitigation (for example, confirmed destruction or retrieval).

Who must be notified

• Affected individuals.
• The U.S. Department of Health and Human Services (HHS), following HHS reporting requirements.
• The media, when the media notification rule is triggered by the size and geography of the breach.

Notification Timelines

When the clock starts

The breach is “discovered” on the first day it is known to you—or would have been known by exercising reasonable diligence. Knowledge by any workforce member or agent (other than the person committing the breach) counts as knowledge of the organization.

Individuals

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. If there is an urgent risk of misuse, use telephone or other expedient means in addition to written notice.

HHS

• Breaches affecting 500 or more individuals: report to HHS without unreasonable delay and no later than 60 calendar days from discovery.
• Breaches affecting fewer than 500 individuals: log the incident and submit to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.

Business associates

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days from discovery, supplying details needed to meet breach notification timelines for individuals, HHS, and media if applicable.

Law enforcement delay

You may delay notifications if a law enforcement official states that notice would impede a criminal investigation or threaten national security. A written statement should specify the delay period; an oral statement must be documented and permits a temporary delay for up to 30 days unless a written extension is provided.

State law interplay

State data breach laws may impose shorter deadlines or additional recipient requirements. Apply the most stringent timeline that applies to your incident and location.

Responsibilities of Covered Entities

Immediate response

Activate incident response, contain the issue, preserve evidence, and start breach investigation protocols. Coordinate privacy and security teams to verify facts quickly and assess potential harm.

Content of individual notice

Your notice must be in plain language and include: a brief description of what happened (including dates of breach and discovery), the types of PHI involved (for example, name, Social Security number, clinical data), steps individuals should take to protect themselves, what you are doing to investigate, mitigate harm, and prevent recurrence, and clear contact methods (toll‑free number, email, or postal address).

How to deliver

• Send written notice by first‑class mail to the last known address, or by email if the individual has agreed to electronic notice.
• If you have insufficient or out‑of‑date contact information for fewer than 10 individuals, use an alternative form such as telephone or other reasonable means.
• If you have insufficient contact information for 10 or more individuals, provide substitute notice via a conspicuous website posting or major media, and maintain a toll‑free call center for at least 90 days.

Documentation and retention

Maintain decision records, risk assessments, copies of notices, and evidence of mitigation for at least six years. Track deadlines on a breach calendar and keep a central breach log for smaller incidents that will be reported annually.

Roles of Business Associates

Detect and contain

Business associates must implement safeguards to detect incidents, stop unauthorized activity, and prevent further disclosure or access to PHI.

Notify the covered entity

Report breaches to the covered entity without unreasonable delay, including the identification of each affected individual if known and a description of the incident, data types involved, and the number of individuals impacted.

Support the notices

Provide details the covered entity needs to complete individual, HHS, and media notifications. A business associate agreement may delegate direct notification duties to the business associate; follow the contract’s allocation of responsibilities.

Subcontractors

Flow breach obligations down to subcontractors that handle PHI. Ensure contracts require rapid incident reporting and cooperation with investigations.

Safeguards and improvements

Adopt administrative, physical, and technical controls—such as encryption, access controls, logging, and workforce training—to reduce breach risk and demonstrate recognized security practices.

Reporting to HHS

Thresholds and timing

• 500 or more individuals affected: submit a breach report to HHS contemporaneously with individual notice and within 60 calendar days of discovery.
• Fewer than 500 individuals affected: record the incident and submit it to HHS within 60 days after the end of the calendar year.

Information to prepare

Prepare the covered entity name, business associate (if any), contact information, breach timeframe and discovery date, number of individuals affected, breach location and type (such as hacking/IT incident, lost device, misdirected mail), data elements involved, mitigation steps, and your corrective actions.

Recordkeeping

Retain submission confirmations, supporting assessments, and correspondence for at least six years. Monitor the HHS breach portal for listing accuracy when a 500+ breach is posted.

Media Notification Procedures

When media notice is required

If a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area. This media notification must occur without unreasonable delay and no later than 60 days after discovery.

How to prepare the media notice

Issue a press release that mirrors the individual notice content, avoids revealing PHI, and provides a dedicated call center or support channel. Coordinate timing with individual notifications and ensure messages are consistent.

Substitute notice vs. media notice

Media notification is triggered by the size and geography of the breach. Substitute notice, by contrast, is used when contact information for 10 or more affected individuals is insufficient; it typically involves a prominent website posting for at least 90 days and a toll‑free number.

Compliance Best Practices

Breach investigation protocols

Formalize triage, role assignments, evidence collection, risk assessment, decision criteria, and approval workflows. Use a repeatable checklist to document each step and to support audit readiness.

Preventive controls

Prioritize encryption for ePHI, strong authentication, least‑privilege access, data loss prevention, email security, continuous monitoring, and secure destruction. These measures reduce incidents involving unsecured protected health information.

Vendor governance

Vet business associates, align business associate agreements with breach notification timelines, and require rapid incident reporting by subcontractors. Conduct periodic security reviews and remediation follow‑ups.

Training and exercises

Provide role‑based privacy and security training. Run tabletop exercises to rehearse decision making, HHS reporting requirements, and media notification rule steps under realistic time pressure.

Operational readiness

Maintain current contact lists, notice templates, and translation plans. Track deadlines on a centralized dashboard, pre‑approve legal and communications language, and establish a 24/7 escalation path.

Summary

The HITECH Act Breach Notification Rule centers on quick discovery, rigorous risk assessment, and timely, accurate notifications to individuals, HHS, and sometimes the media. By hardening controls and practicing the process, you can meet breach notification timelines with confidence and reduce harm to patients and your organization.

FAQs

What information must be included in a breach notification?

Include a concise description of what happened (with dates of breach and discovery), the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate, mitigate, and prevent recurrence, and clear contact information such as a toll‑free number or email address. Write in plain language.

How soon must affected individuals be notified of a breach?

Notify without unreasonable delay and no later than 60 calendar days after discovery. If the situation requires urgent action to prevent harm, provide telephone or other expedient notice in addition to the required written notice.

When must media notification occur?

When a breach affects 500 or more residents of a single state or jurisdiction, provide a press release to prominent media outlets serving that area without unreasonable delay and within 60 calendar days of discovery. This requirement is separate from substitute notice used when contact information is insufficient.

How should business associates report breaches?

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovering the breach. The report should identify affected individuals if known and supply details about the incident, data elements involved, and mitigation so the covered entity can complete individual, HHS, and media notifications on time.