Omnibus Final Rule Breach Notification Checklist for Covered Entities and Business Associates

The Omnibus Final Rule strengthens HIPAA’s Breach Notification Rule and sets a clear, presumption-of-breach framework. This checklist explains how covered entities and business associates should identify, assess, and report incidents involving Protected Health Information (PHI) to meet federal requirements swiftly and accurately.

Definition of Breach

A breach is the impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. Under the Omnibus Final Rule, a breach is presumed unless you can demonstrate a low probability that the PHI has been compromised based on a documented risk assessment.

Impermissible means the activity violates the HIPAA Privacy Rule, minimum necessary standards, or internal policies. The presumption applies to both electronic and paper PHI, and to all workforce members and contractors under your control.

• Confirm the data involved qualifies as PHI, not de-identified information.
• Verify whether the incident involved “unsecured” PHI as defined by HHS guidance.
• Start the 60-day notification clock on the date of discovery, not the date you finish investigating.

Risk Assessment Factors

The Omnibus Final Rule replaced the prior Risk of Harm Standard with an objective probability-of-compromise analysis. You must evaluate and document the following four factors to decide whether notification is required:

• Nature and extent of PHI involved, including identifiers and the likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed, or only potentially exposed.
• The extent to which the risk has been mitigated, such as obtaining satisfactory assurances of destruction or return.

While potential harm to individuals can inform factor one, it cannot replace the required probability-of-compromise analysis. Complete and memorialize this assessment promptly so notices, if required, can be sent without unreasonable delay and within 60 calendar days.

Exceptions to Breach Definition

Three narrow exceptions mean an incident is not a breach, provided you can substantiate them with facts and timely documentation:

• Unintentional acquisition, access, or use by a workforce member or person acting under the authority of a covered entity or business associate, in good faith and within the scope of authority, and no further impermissible use or disclosure occurs.
• Inadvertent disclosure by a person authorized to access PHI to another authorized person within the same covered entity, business associate, or organized health care arrangement, with no further impermissible use or disclosure.
• Good Faith Belief that the unauthorized person to whom the disclosure was made could not reasonably have retained the information (for example, sealed and returned mail, or unreadable, returned email).

Unsecured PHI

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through approved technologies or methodologies. Generally, encryption using industry-accepted standards and proper key management, or proper destruction (such as shredding or secure wipe), will render PHI “secured.”

• Encrypt PHI at rest and in transit using validated cryptographic methods and protect keys separately.
• Destroy paper PHI by shredding, pulping, or incineration; destroy electronic media by clearing, purging, or physical destruction.
• Validate that mobile devices, backups, and removable media containing PHI are encrypted; if not, treat incidents as involving unsecured PHI.
• Remember: de-identified data as defined by HIPAA is not PHI and is outside breach notification requirements.

Breach Notification Requirements

Once a breach of unsecured PHI is discovered, you must notify affected individuals, and depending on scale and geography, the media and the Secretary of Health and Human Services. “Discovery” occurs on the first day the breach is known, or should reasonably have been known, to your organization.

Who to notify and when

• Individuals: Without unreasonable delay and in no case later than 60 calendar days from discovery.
• Secretary of Health and Human Services Notification: If 500 or more individuals are affected, notify within 60 days of discovery; if fewer than 500, log the breach and submit to HHS no later than 60 days after the end of the calendar year.
• Media Notice Requirements: If 500 or more residents of a single state or jurisdiction are affected, provide notice to prominent media outlets serving that area within the same 60-day timeframe.

Content of notices

• Brief description of what happened, including dates of breach and discovery, if known.
• Description of the types of PHI involved (for example, names, addresses, dates of birth, diagnoses, account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• Contact procedures, including a toll-free number, email, or postal address.

Governance, Workforce Training Obligations, and Sanctions for Noncompliance

• Maintain written policies for incident response, investigation, and notification decision-making.
• Fulfill Workforce Training Obligations: train staff to recognize potential incidents, escalate promptly, and preserve evidence.
• Apply Sanctions for Noncompliance consistently when workforce members violate policies, and document corrective actions.
• Retain risk assessments, notices, and related documentation for required retention periods.

Individual Notice Requirements

Provide written notice by first-class mail to the individual’s last known address, or by email if the individual has agreed to electronic notice. If the individual is deceased, send the notice to the personal representative if known and appropriate.

Substitute notice

• Fewer than 10 individuals with insufficient or out-of-date contact information: substitute notice may be by telephone, alternative written means, or email.
• 10 or more such individuals: provide a conspicuous website posting or major print/broadcast media notice in affected areas for at least 90 days and include a toll-free number for individuals to learn whether their information was involved.

Urgent situations

If imminent misuse of PHI is possible, provide urgent notice by telephone or other appropriate means in addition to the required written notice. All timeframes are in calendar days, and notices must be sent without unreasonable delay.

Notification by Business Associates

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery of a breach. The notice must, to the extent possible, identify each affected individual and include available details required for the covered entity’s notices, with supplemental information provided as it becomes available.

• Include a description of what happened, dates of occurrence and discovery, and the types of PHI involved.
• Describe mitigation taken, security controls in place, and steps to prevent recurrence.
• Flow-down obligations: subcontractor business associates must notify their upstream business associate, who then notifies the covered entity.
• Ensure your business associate agreements specify timelines, content, cooperation duties, and documentation requirements.

In practice, prompt internal reporting, decisive mitigation, and clear coordination between business associates and covered entities are essential to meet deadlines, reduce impact, and demonstrate compliance.

FAQs

What constitutes a breach under the Omnibus Final Rule?

A breach is any impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. The rule presumes a breach unless you show, through the four-factor assessment, a low probability that the PHI was compromised.

How soon must breach notifications be sent to affected individuals?

Notices must be provided without unreasonable delay and in no case later than 60 calendar days from the date of discovery. Complete your risk assessment quickly so the notice can be sent within this timeframe.

When is media notification required for a breach?

Media notification is required when a breach involves 500 or more residents of a single state or jurisdiction. You must notify prominent media outlets serving that area without unreasonable delay and within 60 calendar days of discovery.

What are the responsibilities of business associates in breach notification?

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery, identify affected individuals to the extent possible, and share available details needed for the covered entity’s notices. Subcontractor business associates must notify their upstream business associate, who then notifies the covered entity.