HITECH Act Breach Notification Rule: Summary, Examples, and Best Practices

Breach Definition and Scope

What the Breach Notification Rule covers

The HITECH Act Breach Notification Rule requires covered entities and their business associates to notify affected individuals, the Secretary of Health and Human Services, and in some cases the media, when unsecured Protected Health Information (PHI) is acquired, accessed, used, or disclosed in a manner not permitted by the HIPAA Privacy Rule.

“Unsecured PHI” and safe harbor

PHI is considered “unsecured” unless it has been rendered unusable, unreadable, or indecipherable to unauthorized persons through destruction or strong, industry-recognized encryption standards. If PHI is properly encrypted or destroyed, the incident is not a reportable breach under this rule.

Exceptions to a breach

• Unintentional access or use by a workforce member acting in good faith within scope of authority.
• Inadvertent disclosure between two authorized persons at the same covered entity or business associate.
• Disclosure where the recipient could not reasonably have retained the information.

Risk assessment to determine notification

If an incident does not fall under an exception, you must assess the probability that PHI was compromised using four factors: (1) the nature and extent of PHI involved, (2) the unauthorized person who used the PHI or to whom it was disclosed, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated.

Scope: who must comply

Covered entities (health plans, most health care providers, and health care clearinghouses) and their business associates (vendors handling PHI on behalf of covered entities) are subject to the Breach Notification Rule. Business Associate Agreements must define each party’s responsibilities for incident reporting and cooperation.

Common breach examples

• Lost or stolen unencrypted laptop or mobile device containing PHI.
• Misdirected email that includes patient identifiers and diagnosis codes.
• Ransomware that encrypts ePHI on a server, indicating unauthorized access.
• Employee snooping on records without a job-related need to know.
• Improper disposal of paper records or media with readable PHI.

Notification Requirements and Timelines

Start of the clock: discovery of a breach

Notification must occur without unreasonable delay and no later than 60 calendar days after discovery. Discovery occurs on the first day the breach is known to the organization—or would have been known by exercising reasonable diligence—even if the full scope is still being investigated.

Individual notification

• Method: First-class mail to the last known address; email is permissible if the individual has agreed to electronic notices.
• Urgent cases: If there is possible imminent misuse, provide telephone or other immediate notice in addition to written notice.
• Insufficient contact information for fewer than 10 individuals: Use an alternative form of individual notice (e.g., phone, email).
• Insufficient contact information for 10 or more individuals: Provide substitute notice via a conspicuous website posting or major print/broadcast media in the affected area for at least 90 days.

HHS and media timelines depend on scale

• Breaches affecting 500 or more individuals in a single state or jurisdiction: Notify the Secretary of Health and Human Services and the media without unreasonable delay and no later than 60 days from discovery.
• Breaches affecting fewer than 500 individuals: Log the incident and report to the Secretary within 60 days after the end of the calendar year in which the breach was discovered.

Business associate to covered entity

Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach. They must identify each affected individual and provide information the covered entity needs to deliver complete notices.

Content Requirements for Notifications

Notices to individuals must be in plain language and include:

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• A description of the types of PHI involved (for example, name, date of birth, diagnosis, treatment information, account numbers).
• Steps individuals should take to protect themselves (such as monitoring accounts or placing fraud alerts).
• What the organization is doing to investigate, mitigate harm, and prevent future occurrences.
• Contact procedures for individuals to obtain additional information, including a toll-free number and, as applicable, an email address, website, or postal address.

Notices to the Secretary of Health and Human Services and any required media notices should align factually with the individual notice and clearly state the scope, mitigation steps, and organizational safeguards.

Media and HHS Notification Procedures

Media notification

• Trigger: A breach involving 500 or more residents of a single state or jurisdiction.
• Action: Provide notice to prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery.
• Purpose: Reach individuals who cannot be reached directly and ensure transparency for large-scale incidents.

Secretary of Health and Human Services

• 500 or more affected: Report to the Secretary contemporaneously with individual notices, and in all cases within 60 days of discovery.
• Fewer than 500 affected: Maintain a breach log and submit the annual report within 60 days after the calendar year ends.

Business Associate Duties

Business associates must promptly evaluate incidents, conduct the four-factor risk assessment, and notify the covered entity of breaches. The notice must include the identities of affected individuals and any available information required for the covered entity’s individual notifications.

Business Associate Agreements should delineate security controls, incident escalation paths, timelines, information-sharing expectations, cooperation during investigations, and documentation requirements to ensure smooth compliance with the Breach Notification Rule.

Penalties for Non-Compliance

Failure to comply with breach notification obligations can lead to HIPAA violation penalties enforced by the Office for Civil Rights. Civil monetary penalties are tiered based on culpability (from reasonable cause to willful neglect) and are adjusted annually for inflation. OCR may also require corrective action plans, audits, and multi-year monitoring.

Serious cases can involve referrals for criminal enforcement for wrongful disclosures, and state attorneys general may bring civil actions. Beyond regulatory exposure, organizations risk reputational harm, contractual liability, and increased costs for remediation and credit monitoring.

Best Practices for Compliance

Governance and preparation

• Maintain current policies and procedures aligned to the HITECH Act Breach Notification Rule and HIPAA Privacy/Security Rules.
• Define roles for privacy, security, legal, compliance, and communications; practice tabletop exercises at least annually.
• Keep an enterprise PHI inventory and data flow maps to speed scoping during incidents.

Technical safeguards

• Apply strong encryption standards for PHI at rest and in transit; use secure destruction for media and paper.
• Harden endpoints with device encryption, mobile management, and rapid remote wipe.
• Implement multi-factor authentication, least-privilege access, network segmentation, and timely patching.
• Deploy data loss prevention, email security, and continuous monitoring with audit logs.

Operational readiness

• Use standardized incident intake forms and a documented four-factor risk assessment workflow.
• Maintain breach-notification templates that cover all required content elements and plain-language standards.
• Track deadlines: 60-day notice window, 90-day substitute notice posting, and year-end reporting for smaller breaches.
• Coordinate closely with business associates via well-crafted Business Associate Agreements and vendor oversight.

Key takeaways

Timely investigation, strong encryption, disciplined documentation, and clear roles are your best defenses. By preparing in advance—technically and operationally—you can meet the Breach Notification Rule’s requirements while reducing risk to individuals and your organization.

FAQs

What constitutes a breach under the HITECH Act?

A breach is any acquisition, access, use, or disclosure of unsecured PHI not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the information. Certain limited exceptions apply, and organizations must perform a four-factor risk assessment to determine if notification is required.

How soon must covered entities notify individuals of a breach?

You must notify without unreasonable delay and no later than 60 calendar days after discovering the breach. Written notice is by first-class mail (or email if the individual agreed). For urgent situations, you may provide immediate notice by telephone in addition to written notice.

When is media notification required?

Media notification is required when a breach involves 500 or more residents of a single state or jurisdiction. You must notify prominent media outlets without unreasonable delay and no later than 60 days after discovery.

What penalties apply for failure to comply with breach notification?

OCR can impose tiered civil monetary penalties that escalate with the level of culpability and are adjusted annually for inflation. Remedies can also include corrective action plans and monitoring. In egregious cases, criminal penalties and actions by state attorneys general may apply.