How to Respond to an ePHI Breach: Timeline, Notification, Documentation

Breach Definition and Scope

An ePHI breach is the acquisition, access, use, or disclosure of electronic protected health information in a manner not permitted by HIPAA that compromises its security or privacy. Under the HIPAA breach notification rule, a breach is presumed unless you can demonstrate a low probability that the ePHI has been compromised based on a documented risk assessment.

HIPAA focuses on “unsecured” ePHI—information not rendered unusable, unreadable, or indecipherable to unauthorized persons. If the data were properly encrypted or securely destroyed consistent with recognized guidance, notification may not be required.

Exceptions that are not breaches

• Unintentional access by a workforce member acting in good faith within scope of authority, with no further use or disclosure.
• Inadvertent disclosure between authorized persons within the same covered entity (or organized health care arrangement), if not further used or disclosed impermissibly.
• Good-faith belief that the unauthorized recipient could not reasonably retain the information.

Common scenarios

• Lost or stolen device containing unencrypted ePHI.
• Misdirected email with patient identifiers sent outside your organization.
• Unauthorized insider snooping into records without a treatment, payment, or operations purpose.
• Hacking or ransomware affecting systems that store ePHI.

Start containment immediately, but plan for HIPAA breach notification unless your assessment supports the low-probability standard.

Conducting Risk Assessments

An ePHI risk assessment determines whether there is a low probability that the data were compromised. Your analysis should be prompt, repeatable, and thoroughly documented.

The four required factors

• Nature and extent of ePHI involved, including types of identifiers and likelihood of re-identification.
• The unauthorized person who used the ePHI or to whom disclosure was made (and their obligations to protect confidentiality).
• Whether the ePHI was actually acquired or viewed, or merely exposed.
• The extent to which risks were mitigated (e.g., remote wipe, retrieval, reliable recipient attestation, password resets).

Step-by-step approach

1. Secure systems and stop further exposure; preserve logs and evidence.
2. Define scope: affected systems, accounts, data elements, and individuals.
3. Collect facts: timestamps, audit trails, screenshots, emails, and vendor or business associate reports.
4. Apply the four-factor analysis and determine probability of compromise.
5. Decide: no breach (with justification) or breach requiring notification; obtain legal/compliance approval.
6. Plan breach mitigation efforts, including patient protections (e.g., fraud alerts) and security remediation.
7. Record decisions, sign-offs, and timelines for audit and later review.

Business associates must perform initial analysis and notify the covered entity without unreasonable delay, including identification of each affected individual and the data involved.

Complying with Notification Timelines

Timing is critical. HIPAA requires you to notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of a breach. “Discovery” is when you knew, or by exercising reasonable diligence should have known, of the incident.

Who you must notify and when

• Individuals: Without unreasonable delay and within 60 days of discovery, by first-class mail or email (if the individual agreed to electronic notice).
• U.S. Department of Health and Human Services (HHS) Secretary:
  • 500 or more individuals affected: Report without unreasonable delay and no later than 60 days from discovery via HHS breach reporting.
  • Fewer than 500 individuals: Maintain a breach log and submit the annual report to HHS within 60 days after the end of the calendar year in which the breaches were discovered.
• Business associate to covered entity: Without unreasonable delay and no later than 60 days from discovery, with all available details.

Practical timeline you can follow

• Days 0–3: Contain, preserve evidence, begin assessment, and notify leadership.
• Days 4–10: Complete initial ePHI risk assessment and decide if notice will be required.
• Days 11–30: Finalize affected population, prepare draft notices, and plan breach mitigation efforts.
• Days 31–60: Send individual notices; submit HHS breach reporting for large breaches; prepare any media breach notification if applicable.
• By March 1 next year: File the annual HHS report for breaches affecting fewer than 500 individuals discovered in the prior calendar year.

If contact information is insufficient for 10 or more individuals, provide substitute notice (e.g., conspicuous website posting or media notice) while still meeting the 60-day deadline. For urgent threats of possible harm, consider additional telephone or electronic notice as soon as possible.

Crafting Notification Content

Use clear, plain language that helps people act. Each individual notice must include:

• What happened, including the date of the breach and the date of discovery, if known.
• What information was involved (e.g., names, contact details, diagnoses, treatment information, Social Security or financial data).
• What steps individuals should take to protect themselves (e.g., monitoring accounts, placing fraud alerts, password changes).
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• How to reach you for questions: toll-free number, email, website, or postal address.

Tips for effective notices

• Be accurate and specific; avoid technical jargon your audience won’t understand.
• Tailor guidance to the risk (credit monitoring or identity protection when SSNs/financial data are involved).
• Maintain consistency across individual, media, and HHS submissions while avoiding unnecessary sensitive details.

Documentation and Recordkeeping

Maintain breach documentation retention for at least six years. Your records should allow an auditor to reconstruct what happened, why you made each decision, and how you met every deadline.

What to keep

• Incident intake, investigation notes, timelines, and approvals.
• The complete ePHI risk assessment and evidence supporting “low probability” determinations, if applicable.
• Copies of all notices (individual, HHS breach reporting, and any media breach notification), mailing lists, and proof of dispatch.
• Law enforcement delay requests (oral and written) and your responses.
• Mitigation plans and outcomes, corrective actions, sanctions, and security changes.
• Business associate communications and agreements relevant to the incident.

Make it operational

• Assign a unique incident ID and use a centralized repository with access controls.
• Capture metrics (time to discovery, to containment, to notice) for continuous improvement.
• Test your breach response plan annually and train staff on roles and escalation paths.

Media Notification Requirements

You must provide media breach notification when a breach involves 500 or more residents of a single state or jurisdiction. Send notice to prominent media outlets serving that area without unreasonable delay and no later than 60 days from discovery.

Content and coordination

• Include the same core elements as individual notices, written in accessible language.
• Coordinate with legal, privacy, security, and communications teams to ensure accuracy and consistency.
• Prepare call-center scripts and FAQs so staff can handle inquiries appropriately.

Media notice complements, but does not replace, individual notices. If 10 or more individuals lack current contact information, substitute notice may also involve a website posting or additional media outreach.

Conditions for Delay of Notification

If a law enforcement official states that notice would impede a criminal investigation or damage national security, you must delay notification. If the request is written, delay for the specified period; if oral, delay for up to 30 days unless a written request is received within that time. Document the request, pause notifications, and resume promptly when the restriction lifts—this is a criminal investigation delay, not a permanent waiver.

Operational hurdles (e.g., completing forensics or translations) do not justify missing the 60-day deadline. If necessary, send notices with the best available information and follow up with supplemental details.

Conclusion

Responding to an ePHI breach requires fast containment, a defensible ePHI risk assessment, on-time notifications to individuals, HHS, and sometimes the media, and meticulous records. Embed breach mitigation efforts into your process, coordinate with business associates, and preserve documentation for six years so you can demonstrate compliance end to end.

FAQs.

What qualifies as an ePHI breach under HIPAA?

A breach is any impermissible acquisition, access, use, or disclosure of ePHI that compromises its security or privacy. The rule presumes a breach unless you document a low probability of compromise based on the four-factor analysis. Certain limited exceptions apply (e.g., inadvertent disclosures between authorized persons), and properly encrypted or destroyed data may fall outside notification requirements.

How soon must affected individuals be notified after a breach?

You must notify individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The clock starts when you knew—or by exercising reasonable diligence should have known—about the incident.

What information must be included in breach notifications?

Each notice must explain what happened (including breach and discovery dates), what information was involved, what steps people should take to protect themselves, what you are doing to investigate and mitigate the issue and prevent recurrences, and how individuals can contact you (toll-free number, email, website, or address).

When is media notification required?

Provide notice to prominent media outlets when a breach affects 500 or more residents of a single state or jurisdiction. The media notice must be issued without unreasonable delay and no later than 60 days from discovery and should align with the content of individual notices.

How long must breach documentation be retained?

Retain all breach-related documentation—risk assessments, decisions, notices, proofs of mailing, mitigation records, and law enforcement delay letters—for at least six years from creation or last effective date.