HITECH Breach Notification Requirements: Step‑by‑Step Compliance Checklist and Timelines

This guide translates the HITECH Act’s Breach Notification Rule into practical steps you can follow under real-world pressure. It explains who you must notify, what to say, and the notification timelines that apply when Protected Health Information (PHI) is compromised. Whether you are a Covered Entity or a Business Associate, use this as a compliance checklist to safeguard Health Information Privacy and meet regulatory expectations.

Breach Discovery and Initial Response

When “discovery” occurs and why it matters

Notification timelines start the day you discover the incident—or the day you would have discovered it by exercising reasonable diligence. Discovery by a Business Associate triggers its own duty to notify the Covered Entity without delay.

First 24–72 hours: rapid-response checklist

• Activate your incident response team and brief your privacy and security officers.
• Contain the incident (revoke access, isolate systems, disable lost credentials, retrieve misdirected mail where feasible).
• Preserve evidence (system images, logs, emails, access records) to support your Risk Assessment and potential law‑enforcement needs.
• Identify the data elements involved to confirm whether unsecured PHI was affected (names, SSNs, diagnosis codes, treatment details, financial data).
• Begin documentation immediately: who discovered the issue, when, how, and the actions taken.
• Consult counsel as needed and coordinate with law enforcement; if notified that disclosure would impede an investigation, you may delay notices for the period requested.

Safe harbor check

Confirm whether the PHI was secured (for example, encrypted or destroyed per HHS guidance). If PHI was rendered unusable, unreadable, or indecipherable to unauthorized persons, breach notification may not be required. Document this determination thoroughly.

Notification timelines at a glance

• Individuals: without unreasonable delay and no later than 60 calendar days from discovery.
• Media: within 60 calendar days if 500 or more residents of a single state or jurisdiction are affected.
• Secretary of HHS: within 60 calendar days for incidents affecting 500 or more individuals; for fewer than 500, report no later than 60 days after the end of the calendar year in which the breach was discovered.
• Business Associate to Covered Entity: without unreasonable delay and no later than 60 calendar days from discovery.
• Substitute notice (insufficient contact data for 10+ individuals): conspicuous posting or media for at least 90 days, with a toll‑free number.

Individual Notification Requirements

Who must receive notice

Notify each affected individual whose unsecured PHI was involved. If the individual is deceased, notify the next of kin or personal representative when known. For minors or others with personal representatives, send notice to the representative.

How to deliver notice

• Primary method: written notice by first‑class mail to the last known address (or by email if the individual has agreed to receive electronic notices).
• Urgent situations: if imminent misuse is likely, supplement with telephone or other means as appropriate.
• Insufficient or outdated contact information:
  • Fewer than 10 individuals: use an alternative method reasonably calculated to reach the person (e.g., phone, email).
  • 10 or more individuals: provide substitute notice via a conspicuous website posting for at least 90 days or through major print/broadcast media in the affected geographic area, including a toll‑free number active for the same period.

What the notice must include

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• The categories of PHI involved (for example, name, address, date of birth, medical record number, diagnosis, treatment, account numbers).
• Steps individuals should take to protect themselves (such as monitoring accounts, changing passwords, placing fraud alerts).
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• Contact information: a toll‑free number, email, website, or postal address for questions.

Write in plain language that an average person can understand; avoid technical jargon where possible.

Media Notification Procedures

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area within 60 calendar days of discovery. Media notice is in addition to, not a substitute for, individual notices. The media notice should mirror the individual notice content and be clear, accurate, and timely.

Secretary of HHS Notification

Thresholds and timing

• 500 or more individuals affected: report to the Secretary without unreasonable delay and no later than 60 calendar days from discovery.
• Fewer than 500 individuals affected: log the incident and submit it to the Secretary no later than 60 days after the end of the calendar year in which the breach was discovered.

What to submit

• Entity and incident details, number of individuals affected, and a description of the breach (including the types of PHI involved).
• The notification dates and methods used, mitigation steps taken, and your current status (open/closed).
• Updates, if new material facts emerge after the initial submission.

Business Associate Notification Obligations

A Business Associate that discovers a breach of unsecured PHI must notify the Covered Entity without unreasonable delay and no later than 60 calendar days. The notice should identify each affected individual and provide all available information the Covered Entity needs to deliver compliant notices (event description, data elements involved, dates, and mitigation steps).

Business Associates must also ensure their subcontractors agree to parallel breach reporting duties in written agreements. Prompt escalation, evidence preservation, and cooperation with the Covered Entity’s Risk Assessment are expected.

Conducting Risk Assessments

The required four‑factor analysis

There is a presumption that an impermissible acquisition, access, use, or disclosure of PHI is a breach unless you demonstrate a low probability that the PHI has been compromised through a documented four‑factor analysis. Your Risk Assessment must, at a minimum, evaluate:

• Nature and extent of PHI involved (identifiers, sensitivity, likelihood of re‑identification).
• Unauthorized person who used the PHI or to whom disclosure was made (including their ability to re‑identify or misuse it).
• Whether the PHI was actually acquired or viewed (vs. only potentially exposed).
• The extent to which the risk has been mitigated (retrieval, satisfactory assurances, deletion, or containment).

Applying the analysis

Document your methods, evidence, and conclusions. If you determine a low probability of compromise, record the rationale in detail. If not, proceed with notifications within the applicable Notification Timelines. Consider encryption status, access controls, and the minimum necessary principle as part of your evaluation and mitigation strategy.

Documentation and Recordkeeping

• Maintain written policies, procedures, incident response plans, and workforce training records to support Breach Notification Rule compliance.
• Keep a breach log capturing discovery dates, decisions, recipients, content of notices, and mitigation steps for every incident, regardless of size.
• Retain Risk Assessments, legal holds, and evidence (logs, screen captures, forensic reports) that support your determinations.
• Preserve Business Associate Agreements and subcontractor flow‑down terms addressing breach reporting.
• Keep all required documentation for at least six years from the date of creation or last effective date, whichever is later.

Summary and next steps

Confirm whether unsecured PHI was involved, act quickly to contain and investigate, perform and document a rigorous Risk Assessment, and notify all required parties within the established timelines. Strong documentation, clear communications, and coordination between Covered Entities and Business Associates are essential to protecting Health Information Privacy and sustaining compliance.

FAQs

What constitutes a breach under the HITECH Act?

A breach is the impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. There is a presumption of breach unless you can demonstrate a low probability of compromise after a documented four‑factor Risk Assessment. Exceptions include certain good‑faith or inadvertent disclosures within the scope of authority and situations where the recipient could not reasonably retain the information. If PHI is properly encrypted or destroyed, breach notification is generally not required.

When must individuals be notified of a breach?

Provide notice without unreasonable delay and no later than 60 calendar days from discovery. If law enforcement states that notice would impede an investigation, you may delay for the period requested. In urgent cases with imminent risk of harm, supplement written notice with telephone or other rapid contact.

How are breaches reported to the Secretary of HHS?

For incidents affecting 500 or more individuals, report within 60 calendar days of discovery. For fewer than 500, record the breach and submit it no later than 60 days after the end of the calendar year in which it was discovered. Include entity details, incident description, the number of individuals affected, notice dates and methods, and mitigation steps, and update the report if new facts arise.

What documentation is required after a breach?

Keep your Risk Assessment, decision rationale, copies of all notices, lists of affected individuals, mitigation actions, investigation records, and communications with Business Associates and law enforcement. Maintain policies, procedures, training, and Business Associate Agreements. Retain all documentation for at least six years to satisfy the Breach Notification Rule and broader HIPAA recordkeeping requirements.