How to Meet HIPAA’s Breach Notice Requirements: Covered Entity Guide

Under HIPAA’s breach notification rule, you must act quickly and transparently when unsecured protected health information (PHI) is compromised. This covered entity guide turns legal requirements into practical steps you can apply immediately.

You’ll learn who to notify, what to say, when to say it, and how to document covered entities compliance so your program is audit-ready and resilient.

Individual Breach Notification Requirements

When notification is required

A breach is an impermissible use or disclosure of unsecured protected health information that compromises privacy or security. Notification is not required only if you document a low probability of compromise after a risk assessment or if a narrow statutory exception applies (for example, certain unintentional, good‑faith workforce disclosures or when PHI cannot be retained by an unauthorized person).

Breach discovery timeline

The clock starts on the date you discover the breach—or should have discovered it using reasonable diligence. You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Treat the breach as discovered when anyone in your workforce (other than the person committing the breach) learns of it.

Content of the individual notice

• A brief description of what happened, including the date of the breach and discovery.
• The categories of PHI involved (for example, names, diagnoses, payment data).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Clear contact methods (toll‑free number, email, or postal address).

How to deliver the notice

• Send written notice by first‑class mail to the individual (or personal representative). You may use email if the individual has consented to electronic notice.
• If you lack current contact information for fewer than 10 people, use a reasonable substitute method (for example, telephone or email).
• If you lack current contact information for 10 or more people, provide substitute notice via a prominent website posting for at least 90 days or through major print/broadcast media where affected individuals are likely to reside, and include a toll‑free number active for at least 90 days.
• Use telephone or other expedient means if there is an urgent need to mitigate imminent misuse.

Notice to the Secretary of Health and Human Services

When to report

• 500 or more affected individuals: report to HHS without unreasonable delay and in no case later than 60 calendar days from discovery.
• Fewer than 500 affected individuals: log the incident and submit HHS breach reporting within 60 days after the end of the calendar year in which the breach was discovered.

What to submit

• Covered entity information and point of contact.
• Number of individuals affected and location(s) of affected individuals.
• Dates of the breach and discovery, and a brief description of what happened.
• Types of PHI involved and whether the data were encrypted or otherwise secured.
• Mitigation, remediation, and safeguards implemented, including any business associate involvement.

Documentation

Maintain incident files, risk assessments, notices, and submission confirmations for at least six years. Strong documentation demonstrates covered entities compliance and supports your position during audits or investigations.

Media Notification Obligations

When media notice is required

If a breach involves 500 or more residents of a single state or jurisdiction, you must provide media breach notification to prominent media outlets serving that area without unreasonable delay and within 60 calendar days of discovery.

How to notify the media

• Issue a press release or similar communication that includes the same core elements as the individual notice.
• Coordinate timing and content across individual, HHS, and media notices to ensure accuracy and consistency.
• Designate a spokesperson and prepare FAQs to handle inquiries without disclosing additional PHI.

Business Associate Breach Reporting

Business associate duties

Business associates must notify you without unreasonable delay and no later than 60 calendar days after discovering a breach. Their notice should identify each affected individual (if known) and include all information you need to provide timely individual, HHS, and media notices.

Contractual expectations

• Set an earlier contractual reporting deadline (for example, 5–15 days) to preserve your time to investigate and notify.
• Require specifics in the BA’s notice: incident timeline, systems affected, types of PHI, mitigation steps, and point of contact.
• Flow down obligations to BA subcontractors and mandate cooperation, evidence preservation, and remediation support.

Coordinated response

Use a joint incident plan with your BA to align triage, forensics, drafting, and approvals so no deadline is missed and messaging remains consistent.

Developing Breach Notification Policies

Core components

• Definitions and decision trees distinguishing incidents, security events, and breaches of unsecured protected health information.
• A risk assessment method evaluating the nature/extent of PHI, unauthorized recipient, whether PHI was actually acquired/viewed, and mitigation.
• Clear breach discovery timeline triggers, internal escalation paths, and roles (privacy, security, legal, communications).
• Templates for individual, substitute, media, and HHS notices; contact verification and address‑cleansing procedures.
• Law‑enforcement delay process to document and honor written requests that temporarily defer notices.
• Vendor management requirements, including BA due diligence, contractual breach terms, and monitoring.
• Data‑minimization, encryption, and disposal standards to reduce breach likelihood and impact.

Testing and continuous improvement

Run tabletop exercises at least annually, track time‑to‑detect and time‑to‑notify, and update procedures after each incident or drill. Measure and report these metrics to leadership.

Employee Training and Compliance

Training essentials

• Teach workforce members how to recognize and immediately report potential breaches (lost devices, misdirected mail, phishing, improper access).
• Reinforce minimum necessary access, secure handling of mail and email, and verification before disclosures.
• Practice incident intake, documentation, and escalation with realistic scenarios.

Workforce sanctions and accountability

Define progressive workforce sanctions for noncompliance, apply them consistently, and document outcomes. Visible accountability improves reporting culture and reduces repeat errors.

Monitoring and audits

Use access‑log reviews, phishing simulations, and spot checks to verify adherence. Close findings with corrective actions and targeted retraining.

Enforcement and Sanctions

OCR enforces the breach notification rule through investigations, audits, corrective action plans, and civil monetary penalties. Penalty tiers increase with the level of culpability and duration of noncompliance, particularly when willful neglect is not timely corrected.

Significant breaches can trigger multiyear monitoring, settlement obligations, and state attorney general actions. Robust policies, timely notifications, and strong documentation are your best defense.

FAQs.

What is the deadline for notifying individuals of a breach?

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after the breach is discovered. Start counting from the date of discovery, not when your investigation concludes.

How must covered entities notify affected individuals?

Send written notice by first‑class mail to each individual (or personal representative). You may use email if the person has agreed to electronic notices. If you lack current contact information for 10 or more people, provide substitute notice via a prominent website posting or major media and include a toll‑free number for at least 90 days.

When is media notification required?

Provide media notification when a breach involves 500 or more residents of a single state or jurisdiction. Notify prominent media outlets without unreasonable delay and within 60 calendar days of discovery, using content consistent with the individual notice.

What are business associates' responsibilities in breach notification?

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovering a breach. Their notice should identify affected individuals (if known) and supply all details the covered entity needs to deliver individual, HHS, and media notices on time.