How to Comply with HIPAA Omnibus Breach Notification: Step‑by‑Step Guide

Breach Notification Requirements

The HIPAA Omnibus Rule presumes a breach any time there is an impermissible use or disclosure of Unsecured PHI that compromises the privacy or security of Protected Health Information. You must notify affected individuals, the U.S. Department of Health and Human Services (HHS), and in some cases the media, following strict Notification Timelines.

Covered entities and business associates are both responsible for compliance. “Discovery” of a breach occurs on the first day it is known—or would have been known with reasonable diligence—to your organization. Notices must be provided without unreasonable delay and no later than 60 calendar days from discovery.

Use the following step‑by‑step approach to stay compliant:

1. Contain the incident immediately, preserve logs and evidence, and secure systems and physical records.
2. Confirm whether PHI was involved and whether it was Unsecured PHI (for example, not protected under recognized Encryption Standards or destroyed in a secure manner).
3. Launch and document a risk assessment to determine the probability of compromise.
4. If you cannot demonstrate a low probability of compromise, prepare required notifications and send them within the Notification Timelines.
5. Notify HHS and, if applicable, prominent media outlets as required; maintain an incident register for smaller breaches.
6. Mitigate harm to individuals (credit monitoring, hotline, remediation) and implement corrective actions.
7. Review and update policies, workforce training, and your Business Associate Agreement templates.

Definition of a Breach

A breach is an impermissible acquisition, access, use, or disclosure of PHI under the HIPAA Privacy Rule that compromises its security or privacy. PHI that has been properly de‑identified is not subject to breach notification.

Three narrow exceptions mean an incident may not be a breach: (1) unintentional access or use by a workforce member acting within scope and authority; (2) inadvertent disclosure by a person authorized to access PHI to another authorized person within the same organization; and (3) a good‑faith belief that the unauthorized recipient could not reasonably retain the information.

“Unsecured PHI” is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals. If PHI is secured using recognized Encryption Standards or is properly destroyed, the safe harbor generally removes breach notification obligations.

Risk Assessment Process

The Omnibus Rule requires you to conduct and document a risk assessment using four core Risk Assessment Factors to decide whether there is a low probability that PHI has been compromised.

1. Nature and extent of PHI involved: the types of identifiers and the likelihood of re‑identification (for example, names, diagnoses, Social Security numbers, or financial data).
2. Unauthorized person: who used the PHI or to whom it was disclosed (e.g., a covered entity, a business associate, or an unknown outside party).
3. Whether the PHI was actually acquired or viewed: what logs, forensics, or audit trails show.
4. Extent to which the risk has been mitigated: recovery of information, validated deletion, encryption applied after the fact, or binding assurances.

Evaluate each factor, weigh them together, and document your rationale. If you cannot clearly demonstrate a low probability of compromise, treat the incident as a breach and issue notices within the Notification Timelines. Keep your assessment, evidence, and decisions for audit readiness.

Business Associate Responsibilities

Business associates must comply with the Security Rule, limit uses and disclosures, and promptly report incidents as required by the Business Associate Agreement. They also must flow down obligations to subcontractors who handle PHI.

Upon discovery of a breach, a business associate must notify the covered entity without unreasonable delay and no later than 60 calendar days, supplying the identities of affected individuals, the types of PHI involved, and other details needed for notifications. Robust safeguards—access controls, monitoring, and recognized Encryption Standards—are expected to reduce the likelihood of Unsecured PHI exposure.

Covered entities should ensure every Business Associate Agreement defines incident reporting channels, content and timing of notices, cooperation duties, and evidence preservation requirements.

Breach Notification Content

Notices to individuals must be written in plain language and include:

• A brief description of what happened, including the date of the breach and the date of discovery (if known).
• A description of the types of PHI involved (for example, name, date of birth, diagnosis, treatment information, account or policy numbers).
• Steps individuals should take to protect themselves (credit freezes, password changes, fraud alerts, or other practical actions).
• What your organization is doing to investigate, mitigate harm, and prevent future incidents.
• Contact methods for questions and assistance (toll‑free number, email, website, or postal address).

Send notices without unreasonable delay and no later than 60 days from discovery. Use first‑class mail or email if the individual has agreed to electronic notice. Provide substitute notice when contact information is insufficient and ensure accessibility for individuals with disabilities and limited English proficiency.

Media Notification Procedures

If a breach involves more than 500 residents of a state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. Coordinate messaging so it aligns with individual notices and does not disclose unnecessary personal details.

When you lack contact information for 10 or more affected individuals, provide substitute notice—such as a conspicuous website posting for at least 90 days or a media announcement—and maintain a toll‑free number active for the same period.

Law enforcement may request a delay if notification would impede an investigation or threaten national security. Document the request and resume notification once the delay period ends.

Separately, report breaches affecting 500 or more individuals to HHS within 60 days; for fewer than 500 individuals, log the incidents and report to HHS within 60 days after the end of the calendar year.

Enforcement and Penalties

HHS Office for Civil Rights enforces the breach notification, Privacy, and Security Rules. HITECH Act Penalties use a tiered structure based on culpability—ranging from lack of knowledge to willful neglect not corrected—with per‑violation minimums and annual caps that are adjusted for inflation.

OCR considers factors such as the number of individuals affected, the sensitivity of PHI, timely breach response, prior compliance history, and the strength of your security program. Outcomes may include corrective action plans, monitoring, and monetary settlements. State attorneys general can also bring actions, and contractual liability may arise under a Business Associate Agreement.

Strong preventive controls—encryption of data at rest and in transit, least‑privilege access, continuous monitoring, vendor risk management, and well‑rehearsed incident response—reduce exposure and help demonstrate diligence if an incident occurs.

In practice, you comply by securing PHI, assessing incidents quickly and thoroughly, notifying the right parties on time, and documenting every decision. Build these steps into policy, train your workforce, and test your plan so you can meet the Notification Timelines with confidence.

FAQs.

What triggers the HIPAA Omnibus breach notification requirement?

Notification is required when there is an impermissible use or disclosure of Unsecured PHI that compromises the privacy or security of Protected Health Information. The incident is presumed a breach unless your documented risk assessment shows a low probability of compromise based on the Omnibus Rule’s factors.

How should covered entities assess the risk of a PHI breach?

Apply the four Risk Assessment Factors: the nature and extent of PHI, the unauthorized person involved, whether the PHI was actually acquired or viewed, and the extent of mitigation. Evaluate and weigh all factors together, document your reasoning, preserve evidence, and if low probability cannot be demonstrated, proceed with notifications within the Notification Timelines.

What information must be included in a breach notification?

Each notice must explain what happened (including dates), identify the types of PHI involved, tell individuals what actions they should take, describe what your organization is doing to investigate and mitigate, and provide clear contact information. Draft the notice in plain language and deliver it without unreasonable delay and no later than 60 days from discovery.

When must media notification be issued?

You must issue media notification when a breach involves more than 500 residents of a single state or jurisdiction, and you must do so without unreasonable delay and no later than 60 days after discovery. Use substitute notice and a 90‑day toll‑free number if you cannot reach 10 or more affected individuals.