HITECH Breach Notification Checklist: Who to Notify, When, and How

This practical checklist explains your obligations under the HIPAA/HITECH Breach Notification Rule (45 CFR 164.400–414). It focuses on covered entity breach reporting, business associate breach obligations, and the who/when/how of notifying affected individuals, the Secretary of Health and Human Services, and the media.

Breach Notification Requirements

When notification is required

You must provide breach notification whenever there is an impermissible use or disclosure of unsecured protected health information (PHI) that compromises the privacy or security of the data. An incident is presumed a breach unless you document a risk assessment showing a low probability that the PHI was compromised.

Unsecured protected health information

Only breaches of unsecured protected health information trigger these duties. PHI is “unsecured” if it has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through technologies and methodologies specified by HHS (for example, strong encryption and proper key management, or secure destruction).

Who you must notify

• Affected individuals (or their personal representatives).
• The Secretary of Health and Human Services (HHS), via the HHS breach reporting portal.
• Prominent media outlets serving a state or jurisdiction if the breach affects 500 or more residents of that area.

How to notify individuals

• Written notice by first-class mail to the last known address; email is allowed if the individual has agreed to electronic notice.
• For deceased individuals, notice to the next of kin or personal representative when contact information is available.
• Telephone or other means may be used in addition to written notice when there is possible imminent misuse of PHI.

Documentation of breach response

Maintain documentation of your risk assessment, investigation, mitigation, notifications, media releases, substitute notice procedures, and timing calculations. Keep copies of letters, scripts, call logs, and HHS submissions for at least six years to demonstrate compliance.

Notification to HHS

Breaches affecting 500 or more individuals

You must notify the Secretary of Health and Human Services without unreasonable delay and in no case later than 60 calendar days from discovery. This is in addition to individual notice and any required media outlet notification requirements.

Breaches affecting fewer than 500 individuals

Log each incident and submit a year-end report to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered. If later analysis shows an incident actually involves 500 or more individuals, treat it as a large breach and report within 60 days of discovery.

What to include for the Secretary of Health and Human Services Notification

HHS requires details such as the number of affected individuals, breach dates and discovery date, the type of PHI involved, the source and location of PHI (e.g., paper vs. electronic), a brief description of circumstances, and your mitigation and remediation steps. Update your submission as additional information becomes available.

Media Notification

When media notice is required

If a breach involves 500 or more residents of a single state or jurisdiction, you must provide notice to prominent media outlets serving that area within 60 calendar days of discovery. This is separate from and not a substitute for individual notice.

How to notify media outlets

Issue a press release or other communication reasonably calculated to reach the affected population. Align the content with your individual notifications and include a contact method where individuals can obtain assistance. Retain copies to evidence compliance with media outlet notification requirements.

Business Associate Obligations

Notice from business associate to covered entity

A business associate must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. The notice must include, to the extent possible, the identification of each affected individual and any available information needed by the covered entity to provide compliant notices.

Subcontractors and flow-down

Business associate breach obligations flow down to subcontractors. Your business associate agreements should require prompt reporting, cooperation, and ongoing updates as more information is learned.

Coordination and documentation

Coordinate on drafting content of notifications, timelines, and substitute notice procedures. Document decisions, handoffs, and approvals as part of your documentation of breach response.

Content of Notifications

Required elements for individual, media, and HHS notices

• A brief description of what happened, including the date of the breach and the date of discovery if known.
• A description of the types of unsecured protected health information involved (for example, name, address, date of birth, account number, diagnosis or treatment information).
• Steps individuals should take to protect themselves (e.g., monitoring accounts, placing fraud alerts, changing passwords).
• A brief description of what you are doing to investigate, mitigate harm, and prevent future occurrences.
• Contact information for individuals to ask questions or learn more (toll-free number, email, website, or postal address).

Plain language and consistency

Write notices in clear, plain language. Ensure consistency across individual letters, media statements, and your HHS submission to reduce confusion and demonstrate a controlled, compliant response.

Substitute Notice

Fewer than 10 individuals with insufficient contact information

You may use alternative means such as telephone, email, or other methods reasonably calculated to reach the individual. Keep records of your substitute notice procedures.

10 or more individuals with insufficient or out-of-date contact information

Provide a conspicuous posting on your website home page or a notice in major print or broadcast media in areas where affected individuals likely reside. Maintain the notice for at least 90 days and include a toll-free number active for at least 90 days for individuals to obtain information.

Scope and limits

Substitute notice supplements, but does not replace, individual notice for those with valid contact information. Use it only for the specific individuals you cannot reach directly.

Timeliness of Notification

60-day outer limit—“without unreasonable delay”

Provide individual notice, HHS notice (as applicable), and any required media notice without unreasonable delay and in no case later than 60 calendar days after discovery. Discovery occurs on the first day the breach is known—or would have been known with reasonable diligence—by your organization or its agents.

Law enforcement delay

You may delay notifications if a law enforcement official states that notice would impede a criminal investigation or threaten national security. Obtain the statement (written, or documented oral statement with a specified duration) and send notices when the delay period expires.

Tracking the clock and proving compliance

Start counting “day 1” the day after discovery. Build a documented timeline covering investigation milestones, risk assessment, notification drafting, approvals, and dispatch. Retain mail receipts, email logs, media release copies, and HHS confirmation numbers as part of your documentation of breach response.

Summary and next steps

Focus on three pillars: determine if PHI is unsecured, notify the right audiences on time, and document every step. Doing so satisfies covered entity breach reporting duties, fulfills business associate breach obligations, and ensures your substitute notice procedures and media communications align with the Rule.

FAQs.

What is the deadline for notifying individuals of a breach?

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovering the breach. If law enforcement requests a delay, you may pause notice for the period specified, then notify promptly once the delay is lifted.

Who must be notified in a breach affecting 500 or more individuals?

Notify the affected individuals, the Secretary of Health and Human Services within 60 days of discovery, and—if the breach affects 500 or more residents of a single state or jurisdiction—prominent media outlets serving that area.

What information must be included in a breach notification?

Include what happened (with breach and discovery dates), the types of PHI involved, steps individuals should take, what you are doing to investigate and mitigate, and clear contact information for assistance. Use plain language and be consistent across all notices.

When is substitute notice required?

Use substitute notice when you have insufficient or out-of-date contact information. For fewer than 10 affected individuals, use alternative reasonable means (e.g., phone). For 10 or more, post a conspicuous website notice or notify major media for at least 90 days and provide a toll-free number for the same duration.