Omnibus Final Rule Breach Notification Requirements: Complete HIPAA Compliance Guide

Definition of Breach

Under the Omnibus Final Rule, a breach is the acquisition, access, use, or disclosure of unsecured protected health information (PHI) in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. In practice, an impermissible disclosure of unsecured PHI is presumed to be a breach unless you can demonstrate a low probability that the PHI has been compromised.

“Unsecured” PHI means the information is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through technologies like strong encryption or proper destruction. If PHI is properly secured, the incident is not a reportable breach under the breach notification rule.

Examples include a lost unencrypted laptop containing patient data, misdirected emails with clinical notes to the wrong recipient, or a database accessed by an unauthorized actor. Each incident triggers a documented risk assessment to determine whether notification is required.

Risk Assessment Requirements

The Omnibus Final Rule requires you to conduct a risk assessment for every potential breach. You must evaluate at least these four risk assessment factors to decide whether there is a low probability that PHI has been compromised:

• Nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made, and whether that person has obligations to protect confidentiality.
• Whether the PHI was actually acquired or viewed, or only exposed in theory.
• The extent to which the risk to the PHI has been mitigated (for example, obtaining a satisfactory written attestation of destruction or a confirmed return without further use).

Document your methodology, findings, and conclusion for each factor. Your record should capture discovery date, investigation steps, mitigation taken, and your determination about breach notification timelines. Maintain this documentation for six years.

Notification to Individuals

If notification is required, you must provide written notice to affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. “Discovery” occurs on the first day the breach is known or should reasonably have been known to you; knowledge by a workforce member or agent is imputed to the organization.

Send the notice by first-class mail to the individual’s last known address, or by email if the individual has agreed to receive electronic notices. For deceased individuals, send notice to the next of kin or personal representative if appropriate.

Required content of the individual notice

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• Types of PHI involved (for example, name, date of birth, diagnosis, treatment information, Social Security number, or account numbers).
• Steps individuals should take to protect themselves from potential harm.
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• Contact information for questions and assistance, such as a toll-free number, email address, or postal address.

Substitute and urgent notices

• If you have insufficient or out-of-date contact information for fewer than 10 individuals, use an alternative method (for example, telephone) to supplement written notice.
• If you lack contact information for 10 or more individuals, provide substitute notice via a conspicuous posting on your website home page or by a major print or broadcast media announcement, and maintain a toll-free number for at least 90 days so individuals can determine if they were affected.
• You may use urgent telephone or other expedient methods in addition to written notice if immediate action is needed.

Law enforcement delay

If a law enforcement official advises that notification would impede an investigation or threaten national security, delay notification for the time required by the official. Document the request and the period of delay.

Notification to Secretary

You must notify the Secretary of Health and Human Services (HHS) through the breach portal according to the number of affected individuals:

• 500 or more individuals: notify the Secretary without unreasonable delay and no later than 60 calendar days from discovery.
• Fewer than 500 individuals: maintain a breach log and submit it to the Secretary no later than 60 days after the end of the calendar year in which the breaches were discovered.

Retain confirmation of submission, your investigation file, and supporting materials demonstrating your risk assessment and mitigation.

Notification to Media

If a breach involves unsecured PHI of more than 500 residents of a single state or jurisdiction, you must provide notice to prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery. This is in addition to individual notices and should contain the same core content, without including unnecessary PHI.

Exceptions to Breach Definition

The Omnibus Final Rule recognizes narrow exceptions where an impermissible disclosure does not constitute a breach requiring notification:

• Unintentional acquisition, access, or use of PHI by a workforce member or person acting under your authority, in good faith and within the scope of authority, and not resulting in further impermissible use or disclosure.
• Inadvertent disclosure by a person authorized to access PHI to another person authorized to access PHI at the same covered entity, business associate, or organized health care arrangement, with no further impermissible use or disclosure.
• You have a good-faith belief that the unauthorized recipient could not reasonably have retained the information (for example, a sealed envelope returned unopened).

Separately, if PHI is properly secured (for example, encrypted to a recognized standard or destroyed), the incident is not a reportable breach because it does not involve “unsecured” PHI.

Business Associate Responsibilities

Business associates must implement safeguards, evaluate security incidents, and report breaches of unsecured PHI to the covered entity without unreasonable delay and no later than 60 calendar days after discovery. Your report should identify each affected individual, describe what happened, list the types of PHI involved, outline mitigation steps, and provide any information the covered entity needs to complete individual and media notices.

Business associates must also ensure their subcontractors agree to the same privacy and security obligations and breach reporting duties. Depending on the business associate agreement, a business associate may be delegated the responsibility to notify individuals and the Secretary; if so, the business associate must meet the same breach notification timelines and content requirements.

Enforcement and Penalties

The Office for Civil Rights (OCR) enforces the breach notification rule through investigations, resolution agreements, and civil monetary penalties. Penalties are tiered based on culpability—from reasonable cause to willful neglect—and may range from hundreds to tens of thousands of dollars per violation, with annual caps per violation category that are adjusted for inflation. Failure to correct willful neglect violations can trigger the highest tiers and mandatory penalties.

Consequences may also include corrective action plans, ongoing monitoring, and reputational harm. In egregious cases, criminal penalties may apply for knowingly obtaining or disclosing PHI in violation of HIPAA. State attorneys general may bring civil actions, and contractual remedies may arise under business associate agreements.

Documentation Requirements

Maintain comprehensive records to demonstrate compliance with breach notification requirements and the underlying Privacy and Security Rules:

• Incident intake logs, investigation notes, forensics reports, and written risk assessments addressing the required risk assessment factors.
• Copies of individual, media, and Secretary notices; proofs of mailing; scripts used for call centers; and substitute notice artifacts (for example, screenshots of website postings).
• Law enforcement delay requests and the dates applied.
• Policies and procedures for incident response, risk assessment, and breach notification timelines; workforce training records and sanction actions.
• Business associate agreements and subcontractor agreements showing privacy, security, and breach reporting duties.
• Evidence of safeguards (for example, encryption status, access controls) and mitigation steps taken.

HIPAA requires you to retain these records for at least six years from the date of creation or the date when last in effect, whichever is later.

Compliance Deadline

The Omnibus Final Rule was published in January 2013, with a general compliance date of September 23, 2013. Covered entities and business associates were required to update policies, workforce training, and contracts by that date. Certain preexisting business associate agreements had a transition period, generally until September 22, 2014, after which updated terms were required.

Going forward, compliance is ongoing. For each incident, you must meet the 60-day breach notification timeline from discovery, keep complete documentation, and continually improve safeguards to reduce the likelihood and impact of future incidents.

Conclusion

To comply with the Omnibus Final Rule, treat every potential impermissible disclosure of unsecured PHI as a presumptive breach, complete a thorough risk assessment, and meet all notification duties to individuals, HHS, and—when applicable—the media. Maintain strong vendor oversight for business associates, document every step, and review your program regularly to minimize risk and civil monetary penalties.

FAQs.

What constitutes a breach under the Omnibus Final Rule?

A breach is any acquisition, access, use, or disclosure of unsecured PHI that violates the Privacy Rule and compromises the information’s security or privacy. The rule presumes a breach after an impermissible disclosure unless your documented risk assessment shows a low probability that the PHI was compromised.

When must individuals be notified of a breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Notices are sent by first-class mail (or email if the individual has agreed). If contact information is insufficient for 10 or more people, provide substitute notice via website posting or major media and maintain a toll-free number for at least 90 days.

How do business associates report breaches?

Business associates must report breaches to the covered entity without unreasonable delay and within 60 days of discovery, supplying the information needed to complete notifications. If a business associate agreement assigns direct notice duties, the business associate must notify individuals, HHS, and—if applicable—the media within the same breach notification timelines.

What are the penalties for non-compliance?

OCR can require corrective actions and impose tiered civil monetary penalties that escalate with culpability and are adjusted annually for inflation. Willful neglect not corrected carries the highest levels. Serious or intentional misuse of PHI can also result in criminal liability and additional reputational and contractual consequences.