How to Meet HIPAA Breach Notification Requirements: Step-by-Step Guide

Assess the Breach

You should begin by stabilizing the incident and determining whether it involves unsecured protected health information. Under HIPAA, an impermissible use or disclosure of PHI is presumed to be a breach unless you can show a low probability that the PHI was compromised. The “discovery” date starts your notification timelines.

Confirm it involves unsecured protected health information

• Identify what PHI was involved and whether it was rendered unusable, unreadable, or indecipherable (for example, through strong encryption). If PHI is “secured,” breach reporting requirements may not apply.
• Check for HIPAA exceptions (e.g., good-faith, unintentional access by a workforce member within scope; inadvertent disclosure between authorized persons within the same entity; or disclosures where the recipient could not reasonably retain the information).
• If you are a business associate, notify the covered entity without unreasonable delay and share known affected individuals and facts.

Start the clock and contain the incident

• Record the date of discovery; you must proceed without unreasonable delay and no later than 60 calendar days where notice is required.
• Preserve logs, devices, and evidence; isolate impacted systems; and stop further disclosures.
• Engage your Privacy and Security Officers, legal counsel, and relevant vendors to coordinate next steps.

Conduct a Risk Assessment

Perform and document a risk assessment pursuant to HIPAA to decide if there is a low probability that PHI was compromised. This analysis determines whether notification is required and guides mitigation using the four-factor test.

Apply the four-factor test

• Nature and extent of PHI involved (types of identifiers and likelihood of re-identification).
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (e.g., obtaining a satisfactory written attestation of destruction or return).

Document findings and decisions

• If you determine a low probability of compromise, document the rationale and remediation taken to maintain HIPAA privacy rule compliance.
• If not, proceed with notifications following the applicable notification timelines.

Notify Affected Individuals

When notification is required, inform each affected individual without unreasonable delay and no later than 60 calendar days after discovery. Use first-class mail, or email if the individual agreed to electronic notice.

What to include and how to deliver

• Provide a clear description of what happened and the types of PHI involved, steps individuals can take, what you are doing to mitigate, and how to contact you. Keep tone factual and supportive.
• Send to the last known address; honor language needs and accessibility requirements; include a toll-free number for questions.

Substitute notice for unreachable individuals

• If contact information is insufficient for fewer than 10 individuals, use an alternative method (e.g., telephone).
• If 10 or more individuals have out-of-date information, provide substitute notice via your website home page or major print/broadcast media in areas where affected individuals likely reside, with a 90-day posting and a toll-free number.

Coordinate with business associates

• Covered entities are generally responsible for notifying individuals, though a business associate may do so if your agreement assigns that role. Ensure consistency of counts, dates, and narrative across all communications.

Notify the Department of Health and Human Services

You must report qualifying breaches to HHS through its breach portal. Treat your HHS breach notification submission as an official record that should mirror what you tell individuals and, if applicable, the media.

Thresholds and deadlines

• 500 or more individuals affected: notify HHS without unreasonable delay and no later than 60 calendar days from discovery.
• Fewer than 500 individuals: log each breach and submit to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.

What to include in the HHS breach notification submission

• Covered entity and, if applicable, business associate details and contacts.
• Dates of breach and discovery; number of individuals affected; states/jurisdictions involved.
• Type and location of breach (e.g., hacking/IT incident, loss, improper disposal) and the types of PHI involved.
• Safeguards in place, mitigation steps taken, and steps to prevent recurrence.
• Standardized, plain-language narrative consistent with individual notices.

Practical filing tips

• Prepare a single set of facts and numbers; reconcile discrepancies before submitting.
• Retain submission confirmations and any correspondence with HHS for your records.

Notify the Media

Apply the media breach notification criteria when 500 or more residents of a single state or jurisdiction are affected. In that case, notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery.

Scope and message

• Media notice supplements, but does not replace, individual notices. It should use the same core facts and remedies to avoid confusion.
• Do not include sensitive personal details; focus on what happened, who is affected, risks, protections offered, and how to get help.

Coordinate timing and consistency

• Align the media release with individual notices and your HHS submission to keep dates, counts, and mitigation consistent.
• Prepare spokesperson guidance and FAQs to handle follow-up inquiries accurately.

Document the Breach

Maintain thorough documentation of your response from discovery through closure. Good records demonstrate compliance with breach reporting requirements and support audits or investigations.

What to keep

• Incident logs, forensics, containment steps, and your risk assessment pursuant to HIPAA (including evidence and rationale).
• Copies of individual notices, substitute notices, media statements, and HHS submissions with timestamps and delivery proofs.
• Decision memos for law enforcement delay requests, mitigation offers (e.g., credit monitoring), and remediation actions.
• Policy updates, training records, and monitoring results. Retain documentation for at least six years from creation or last effective date.

Governance and follow-up

• Brief leadership and your compliance committee; track corrective actions to completion.
• Test controls (access, logging, encryption) and revise your incident response plan to strengthen HIPAA privacy rule compliance.

Conclusion

Meeting HIPAA breach notification requirements hinges on prompt containment, a defensible risk assessment, precise communications to individuals, timely HHS breach notification submission, media notice when required, and meticulous documentation. Treat timelines as hard limits, keep facts consistent, and use lessons learned to harden safeguards against future incidents.

FAQs

What information must be included in a breach notification?

Your individual notice should, in plain language, include: a brief description of what happened (including the date of the breach and discovery, if known); the types of unsecured protected health information involved (for example, name, date of birth, diagnoses, treatment, Social Security number); steps individuals should take to protect themselves; what you are doing to investigate, mitigate harm, and prevent recurrence; and how to contact you (toll‑free number, email, or postal address).

When must breach notifications be sent to HHS?

For breaches affecting 500 or more individuals, notify HHS without unreasonable delay and no later than 60 calendar days from discovery. For breaches affecting fewer than 500 individuals, log each incident and submit to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.

Who is responsible for notifying affected individuals?

The covered entity is generally responsible for notifying individuals. A business associate must notify the covered entity without unreasonable delay and provide the information needed for notices. Your business associate agreement may delegate the task to the business associate, but the covered entity remains ultimately accountable.

What are the consequences of failing to comply with breach notification requirements?

Noncompliance can trigger OCR investigations, corrective action plans, and tiered civil monetary penalties per violation, with higher tiers for willful neglect. You may also face contractual consequences, reputational damage, increased oversight, and potential actions by other regulators or private litigants.