HITECH Breach Notification Rule for Covered Entities and Business Associates

The HITECH Breach Notification Rule requires covered entities and business associates to notify specific parties when unsecured Protected Health Information (PHI) is compromised. It builds on HIPAA by defining what counts as a breach, how to assess risk, and when and how to provide notice. This guide explains what you must do to stay in breach notification compliance.

Breach Definition and Risk Assessment

What is a breach of unsecured PHI?

A breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the information. “Unsecured” means the PHI is not rendered unusable, unreadable, or indecipherable through accepted methods like strong encryption or proper destruction.

Risk Assessment Methodology

You must conduct a documented risk assessment to determine the probability that PHI has been compromised. A sound methodology evaluates: (1) the nature and extent of PHI involved, including sensitivity and likelihood of re-identification; (2) the unauthorized person who used or received the PHI; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated.

Burden of proof and discovery date

The burden is on your organization to demonstrate that all required notifications were made or that a breach did not require notification based on the risk assessment. Timing runs from discovery—the first day the breach is known, or reasonably should have been known, to you or your workforce.

Securing PHI to reduce breach risk

Implement encryption, destruction, and robust access controls to keep PHI secure. If PHI is properly secured, many incidents will fall outside breach notification because the data would be unusable to unauthorized parties. These safeguards support breach notification compliance and reduce exposure.

Exceptions to Breach Definition

Unintentional, good-faith access within scope

Access or use of PHI by a workforce member acting in good faith and within the scope of authority is not a breach if the information is not further used or disclosed improperly. Prompt containment and documentation are still essential.

Inadvertent disclosure to an authorized recipient

Disclosures by a person authorized to access PHI to another person authorized to access PHI within the same organization or organized health care arrangement are not breaches, if the information is not further used or disclosed improperly.

Good-faith belief that PHI could not be retained

If you have a good-faith belief that the unauthorized person to whom the disclosure was made could not reasonably have retained the information, the incident does not constitute a breach. Document the facts supporting this belief.

Notification Requirements for Covered Entities

Timing: without unreasonable delay

Notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Do not wait for a completed forensic investigation to start appropriate notifications; you can send updates as more facts emerge.

Method and recipients of notice

Provide written notice by first-class mail to the individual (or personal representative). You may use email if the individual has agreed to electronic notice. For minors, the notice goes to the parent or guardian; for decedents, to the next of kin or personal representative when appropriate.

Required content of individual notice

Your notice must clearly explain: what happened (including the date of the breach and discovery, if known), the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate, mitigate harm, and prevent recurrence, and how to contact you via toll-free number, email, or postal address.

Substitute and urgent notice

If you lack current contact information for 10 or more individuals, provide substitute notice such as a web posting or a conspicuous site notice for a set period, plus a toll-free call center. For fewer than 10, alternative methods like phone may be used. If there is imminent misuse risk, you may provide expedited telephonic notice.

Media Notification Obligations

When media notice is required

If a breach involves more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and within 60 days of discovery. This is in addition to individual notices.

What to include and how to coordinate

Media notices should mirror the individual notice content at a high level: a plain-language description of the incident, the types of PHI involved, protective steps, and your mitigation efforts and contacts. Coordinate release timing with individual notices to ensure clear, consistent communication.

Notification to the Secretary of HHS

Breaches affecting 500 or more individuals

Notify the Secretary of Health and Human Services without unreasonable delay and in no case later than 60 calendar days from discovery. Large breaches are reported promptly, not annually.

Breaches affecting fewer than 500 individuals

Maintain a breach log and submit a summary to the Secretary no later than 60 days after the end of the calendar year in which the breaches were discovered. Keep your log accurate and ready for review.

Business Associate Notification Obligations

Timely reporting to covered entities

Business associates must notify the covered entity of a breach of unsecured PHI without unreasonable delay and no later than 60 calendar days after discovery. If identification of all affected individuals is not immediately possible, provide what you have and supply updates as they become available.

Information business associates must provide

Include the identification of each affected individual, a brief description of what happened, the date of the breach and discovery, the types of PHI involved, known mitigation steps, and any other information the covered entity needs to meet its notification obligations.

Contracts and downstream obligations

Ensure Business associate agreements require prompt breach reporting, define communication channels, and flow down the same obligations to subcontractors. Clear terms reduce unreasonable delay and support breach notification compliance.

Administrative Requirements and Compliance

Policies, procedures, and incident response

Adopt written policies covering incident detection, escalation, risk assessment, notification decision-making, and documentation. A tested incident response plan helps you act quickly and consistently when PHI is at risk.

Workforce training and awareness

Provide initial and periodic workforce training on breach recognition, internal reporting, and privacy and security practices. Reinforce the minimum necessary standard, phishing awareness, and secure handling of PHI across all roles.

Documentation and retention

Retain breach assessments, notices, logs, policies, procedures, sanctions, and training records for at least six years. Good records demonstrate compliance and help you meet the burden of proof.

Preventive safeguards to reduce incidents

Encrypt PHI at rest and in transit, enforce strong access controls, monitor for anomalous activity, and promptly patch systems. Regular risk analyses and tabletop exercises strengthen readiness and limit potential harm.

Managing delays and law enforcement holds

Build an escalation path to avoid unreasonable delay in decision-making and notification. If law enforcement determines that notice would impede an investigation, document the hold and resume required notifications as soon as the hold lifts.

Conclusion

Effective breach notification compliance hinges on preparation: know how to define a breach, apply a defensible risk assessment, meet all timing and content rules, and coordinate duties with business associates. Robust safeguards and workforce training reduce incidents and speed your response when they occur.

FAQs.

What constitutes a breach under the HITECH Act?

A breach is any acquisition, access, use, or disclosure of unsecured PHI not permitted by HIPAA that compromises the security or privacy of the information, unless an exception applies or a documented risk assessment shows a low probability of compromise.

When must covered entities notify affected individuals of a breach?

You must provide individual notice without unreasonable delay and no later than 60 calendar days after discovery of the breach. You may issue follow-up notices as additional details are confirmed.

What are the exceptions to the breach notification rule?

There are three under the breach notification rule: unintentional good-faith access or use by a workforce member within scope; inadvertent disclosure to another authorized person within the same organization or arrangement; and situations where the recipient could not reasonably retain the information.

How must business associates report breaches to covered entities?

Business associates must notify the covered entity without unreasonable delay and within 60 calendar days of discovery, providing available details about affected individuals, what happened, the PHI involved, mitigation steps, and ongoing updates needed for the covered entity’s notifications.