How to Comply with the HIPAA Breach Notification Rule: Best Practices

Breach Notification Requirements

The HIPAA Breach Notification Rule applies to Covered Entities (health plans, health care clearinghouses, and most providers) and their Business Associates. It requires notification following a breach of Unsecured PHI—protected health information that has not been rendered unreadable, unusable, or indecipherable to unauthorized individuals.

• Trigger: A breach is presumed when there is an impermissible use or disclosure of PHI unless a documented Four-Factor Risk Assessment shows a low probability that the PHI has been compromised.
• Timeline: Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Business Associates must notify the Covered Entity so it can meet downstream obligations.
• Who must be notified: Individuals; Notification to HHS (immediately for breaches affecting 500 or more individuals, or annually for fewer than 500); and prominent media when 500+ residents of a single state or jurisdiction are impacted.
• Law enforcement delay: If a law enforcement official states that notice would impede an investigation or damage national security, notifications may be delayed for the period specified.

Limited exceptions may apply (for example, certain good‑faith or inadvertent disclosures within authorized roles, or when the recipient could not reasonably retain the information). Treat exceptions cautiously and document your rationale.

Risk Assessment Process

Use a structured Four-Factor Risk Assessment to determine whether an incident is a reportable breach and to guide mitigation. Document each step in writing and retain records per your retention policy.

• Nature and extent of PHI: Identify sensitive data elements (e.g., diagnoses, SSNs, financial data), volume, and whether the PHI was Unsecured PHI.
• Unauthorized person: Assess who used PHI or received it and whether they are obligated to protect privacy or could re-identify or misuse the data.
• Acquisition or viewing: Determine if the PHI was actually acquired or viewed versus merely exposed or attempted to be accessed.
• Mitigation: Evaluate actions taken to reduce risk (e.g., confirming destruction, obtaining satisfactory assurances, resetting credentials, remote wiping).

Complement the assessment with containment (isolate systems, revoke access), forensics, documentation (timeline, decisions, approvals), and a remediation plan that addresses root causes and prevents recurrence.

Notification Content

Notices must be clear, concise, and written in plain language. Include only the minimum necessary details to inform and protect individuals while avoiding additional exposure of sensitive data.

• A brief description of what happened, including the date of the breach and the date of discovery (if known).
• The types of information involved (for example, name, address, date of birth, diagnoses, treatment information, account numbers).
• Steps individuals should take to protect themselves (e.g., monitoring accounts, placing fraud alerts, changing passwords).
• What your organization is doing to investigate, mitigate harm, and prevent further incidents (technical, administrative, and physical safeguards).
• Contact methods for individuals to ask questions or learn more: a toll‑free number, email address, website, or postal address.

Ensure consistency across all notices (individual, media, and Notification to HHS) while tailoring details to the audience and privacy considerations.

Methods of Notification

Deliver individual notices by first‑class mail to the last known address. If the individual has agreed to electronic notice, you may use email. For urgent situations involving possible imminent misuse, provide additional notice by telephone or other appropriate means.

• Substitute notice—fewer than 10 individuals with outdated or incomplete contact information: Use an alternative means such as telephone, email, or other written notice.
• Substitute notice—10 or more individuals with outdated or incomplete contact information: Post a conspicuous website notice (or a link to it) for at least 90 days or provide notice via major print or broadcast media in areas where affected individuals likely reside. Include a toll‑free number active for at least 90 days.
• Media notice: If the breach affects 500 or more residents of a single state or jurisdiction, notify prominent media outlets serving that area.
• Notification to HHS: Report breaches affecting 500 or more individuals without unreasonable delay (no later than 60 days from discovery). For fewer than 500, log them and submit to HHS within 60 days after the end of the calendar year.
• Business Associates: Provide timely notice to the Covered Entity, including identity (if known) of each affected individual and information the Covered Entity needs to notify others.

Encryption and Data Destruction

Securing PHI using recognized Data Encryption Standards or destroying it according to robust media sanitization practices can qualify the data as “secured,” avoiding breach notification obligations if an incident occurs.

• Encryption: Apply strong encryption for data at rest and in transit (e.g., full‑disk encryption on endpoints, database and backup encryption, modern TLS). Manage keys securely and separately from encrypted data.
• Device and application controls: Enforce multi‑factor authentication, automatic lock, mobile device management with remote wipe, least‑privilege access, and continuous monitoring to reduce exposure.
• Data destruction: Follow defensible practices (e.g., cross‑cut shredding for paper; purging, degaussing, or physical destruction for media). Align procedures with widely accepted standards such as NIST media sanitization guidance and maintain certificates of destruction.
• Lifecycle governance: Classify PHI, minimize retention, de‑identify when possible, and test backups and restorations to ensure encryption persists across the lifecycle.

Penalties for Non-Compliance

OCR enforces the Rule and may impose Civil Penalties for HIPAA Violations under a tiered structure that considers culpability and corrective action. Consequences can include monetary penalties per violation with annual caps, corrective action plans, external monitoring, and public resolution agreements. Willful neglect and failure to correct increase exposure, and egregious behavior can trigger criminal liability.

Proactive compliance—timely notices, complete documentation, credible risk assessments, and rigorous security controls—significantly reduces legal, financial, and reputational risk while strengthening trust.

FAQs

What is the timeframe for HIPAA breach notification?

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovering a breach of Unsecured PHI. For 500 or more individuals, you must also notify HHS and, when 500+ residents of a state or jurisdiction are affected, the media within the same 60‑day outside limit. For fewer than 500, log the breach and report to HHS within 60 days after the end of the calendar year.

What information must be included in a HIPAA breach notification?

Provide a brief description of what happened (including dates), the types of PHI involved, steps individuals should take to protect themselves, what your organization is doing to investigate and mitigate, and how to contact you (toll‑free number, email, website, or address). Use plain language and include only the minimum necessary details.

Who must be notified under the HIPAA Breach Notification Rule?

Notify affected individuals, HHS (immediately for breaches affecting 500 or more individuals and annually for fewer than 500), and prominent media outlets if 500+ residents of a single state or jurisdiction are impacted. Business Associates must notify the Covered Entity, which is responsible for external notifications.

What are the consequences of non-compliance with breach notification requirements?

OCR can impose Civil Penalties for HIPAA Violations based on the level of culpability, require corrective action plans and monitoring, and publicize settlements or resolution agreements. Serious or intentional misconduct can also lead to criminal charges and parallel enforcement by state attorneys general.