How to Meet HHS OCR HIPAA Breach Notification Requirements: A Practical Guide

If you handle Protected Health Information (PHI), you must comply with the HIPAA Breach Notification Rule administered by the HHS Office for Civil Rights (OCR). This practical guide shows you how to identify a breach, conduct a compliant Risk Assessment, notify the right parties on time, and align Business Associate obligations. You’ll also see the administrative controls that make responses repeatable—and what happens if you fall short.

Definition of Breach

Under the Breach Notification Rule, a breach is the acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule—an impermissible disclosure—that compromises the security or privacy of the PHI. Unless you can demonstrate a low probability that PHI was compromised based on a documented Risk Assessment, an impermissible disclosure is presumed to be a breach.

The rule applies to unsecured PHI. If PHI is rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, through strong encryption or destruction), it is not “unsecured,” and breach notification is not required.

Discovery starts the clock. A breach is considered “discovered” on the first day it is known to you or would have been known by exercising reasonable diligence. Knowledge by any workforce member or agent is imputed to the organization.

Risk Assessment Factors

How to determine low probability of compromise

To decide whether notification is required, evaluate and document the following four factors and your conclusions:

• Nature and extent of PHI: What identifiers and clinical, financial, or sensitive details were involved, and how likely is re-identification?
• Unauthorized person: Who used or received the PHI—someone bound by confidentiality (e.g., another HIPAA-regulated entity) or not?
• Whether PHI was actually acquired or viewed: Do logs or other evidence show access, viewing, or exfiltration versus mere exposure?
• Mitigation: How fully did you mitigate risk (e.g., secure deletion, verified return, or reliable assurances of destruction)?

Record your methods, evidence, and rationale. If you conclude that notification is not required, retain the Risk Assessment and supporting documentation for at least six years.

Exceptions to Breach Definition

Three narrow exceptions mean an impermissible disclosure is not a breach:

• Unintentional, good-faith acquisition, access, or use of PHI by a workforce member within scope of authority, with no further improper use or disclosure.
• Inadvertent disclosure by a person authorized to access PHI to another authorized person within the same covered entity, business associate, or organized health care arrangement, with no further improper use.
• Situations where the unauthorized recipient could not reasonably have retained the information (for example, a misdirected letter returned unopened).

Secured PHI safe harbor

While not an “exception” to the definition, incidents involving properly encrypted or destroyed PHI do not trigger the Breach Notification Rule because the PHI is not “unsecured.” Implement and validate encryption for data at rest and in transit to reduce breach risk and reporting obligations.

Breach Notification Requirements

Who must be notified and when

• Individuals: Provide written notice without unreasonable delay and in no case later than 60 calendar days after discovery.
• HHS (Electronic Breach Reporting):
  • 500 or more affected individuals: Notify HHS without unreasonable delay and no later than 60 days after discovery via the Electronic Breach Reporting portal.
  • Fewer than 500 affected: Log the breach and submit to HHS no later than 60 days after the end of the calendar year in which it was discovered.
• Media: If a breach impacts more than 500 residents of a single state or jurisdiction, notify prominent media outlets in that area without unreasonable delay and no later than 60 days after discovery.

How to deliver notice

• Primary method: First-class mail to the individual (or email if the individual has agreed to electronic notice). For deceased individuals, notify the next of kin or personal representative when appropriate.
• Substitute notice:
  • Fewer than 10 individuals with out-of-date or insufficient contact details: Use an alternative method such as telephone or email.
  • 10 or more individuals: Provide a conspicuous website posting or notice in major print/broadcast media where affected individuals reside, for at least 90 days, and include a toll-free number active for the same period.

What your notice must include

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• The types of PHI involved (for example, diagnoses, medications, Social Security numbers, billing information).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent further incidents.
• Contact information for questions (toll-free number, email, or postal address).

If any required element is not available at the time of notice, include what you know and provide supplemental information without unreasonable delay as it becomes available.

Law enforcement delay

You must delay notifications if a law enforcement official states that notice would impede a criminal investigation or threaten national security. Follow the time period specified; an oral request permits a temporary delay, which must be replaced by a timely written request to extend the delay.

Business Associate Responsibilities

Upon discovery of a breach of unsecured PHI, a Business Associate must notify the covered entity without unreasonable delay and no later than 60 days. Your Business Associate Agreement (BAA) should set a shorter, specific timeline (for example, 10–15 days), reporting channels, and the required details.

The notice to the covered entity should identify each affected individual and include what happened, dates of breach and discovery, the types of PHI involved, and mitigation steps taken. Business associates must also obtain and flow down breach-notification obligations to subcontractors and cooperate with the covered entity on individual, media, and HHS notifications as assigned in the BAA.

Administrative Requirements

Establish and maintain written policies and procedures for incident response, Risk Assessment, and breach notification that align with the Breach Notification Rule and the Security Rule. Designate privacy and security officials to oversee execution and accountability.

Train your workforce on recognizing, escalating, and documenting potential incidents. Enforce a sanctions policy for noncompliance and run periodic tabletop exercises to validate roles, timing, and communications.

Document everything: Risk Assessments, determinations, notices, law enforcement delay requests, mitigation steps, and corrective action plans. Retain documentation for at least six years and maintain a breach log for incidents affecting fewer than 500 individuals until year-end Electronic Breach Reporting is filed.

Strengthen safeguards to prevent and limit breaches, including encryption, access controls, audit logging, secure disposal, vendor due diligence, and least-privilege access. Regularly review BAAs to confirm clear breach roles, timelines, and information-sharing requirements.

Penalties for Non-Compliance

OCR enforces the Breach Notification Rule through investigations that can lead to technical assistance, resolution agreements, corrective action plans with monitoring, or Civil Monetary Penalties. Penalties follow a tiered structure based on the level of culpability and are adjusted annually for inflation.

Factors influencing outcomes include the nature and extent of the violation, number of individuals affected, duration, mitigation, history of compliance, and your financial condition. Willful neglect that is not corrected results in mandatory penalties, and separate obligations may arise under state law or contracts, in addition to reputational harm and remediation costs.

In practice, meeting your obligations comes down to five disciplines: define and detect breaches accurately, perform and document a sound Risk Assessment, apply exceptions correctly, notify every required party on time using complete content, and reinforce governance with clear BAAs and durable administrative controls. Consistent execution turns a potential crisis into a managed event.

FAQs.

What constitutes a HIPAA breach under HHS OCR guidelines?

A HIPAA breach is an impermissible use or disclosure of PHI that compromises its security or privacy. It is presumed a breach unless you can show, through a documented Risk Assessment of the four OCR factors, a low probability that the PHI was compromised. Three exceptions (good-faith, inadvertent internal disclosure, and non-retention by the recipient) and the secured-PHI safe harbor may remove notification duties.

When must a covered entity notify individuals of a breach?

Notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Use first-class mail or email (if the individual agreed), provide substitute notice when contact details are insufficient, and include all required content: what happened, dates, types of PHI, steps to protect themselves, your mitigation and prevention actions, and contact information.

How should business associates report a breach to covered entities?

Report without unreasonable delay and no later than 60 days after discovery, following any shorter timeline in the Business Associate Agreement. Provide the covered entity with the list of affected individuals, dates, a description of the incident, the types of PHI involved, and mitigation taken, and cooperate to support individual, media, and HHS notifications as assigned.

What are the consequences of failing to comply with HIPAA breach notification requirements?

Noncompliance can lead to OCR investigations, corrective action plans, and Civil Monetary Penalties under a tiered scheme that reflects culpability and is adjusted for inflation. You may also face state enforcement, contractual liability, reputational damage, and substantial operational costs tied to remediation and monitoring.