Patient Notification and HIPAA Compliance: What You Can Send, When, and How

HIPAA Breach Notification Rule

The Breach Notification Rule requires covered entities and business associates to notify affected individuals, the Secretary of Health and Human Services (HHS), and, in some cases, the media following a breach of unsecured protected health information. A breach is presumed unless you can demonstrate a low probability of compromise based on a documented breach risk assessment.

Notification must occur without unreasonable delay and no later than 60 calendar days from discovery. “Discovery” occurs on the first day the breach is known, or would have been known with reasonable diligence. Law enforcement may request a delay if notification would impede an investigation.

Information is “unsecured” if it is not rendered unusable, unreadable, or indecipherable to unauthorized persons. Using strong encryption or proper destruction creates an encryption safe harbor; if PHI meets that standard, the incident is not a reportable breach under this rule.

Individual Notification Requirements

How to deliver notice

Provide written notice by first-class mail to the individual’s last known address. If the individual has agreed to electronic communications, you may send notice by email. For deceased individuals, send to the next of kin or personal representative when appropriate. If imminent misuse or harm is likely, you may also use telephone or other means as appropriate.

What the notice must include

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• The types of information involved (for example, names, dates of birth, diagnoses, treatment details, account numbers).
• Steps individuals should take to protect themselves.
• What you are doing for breach mitigation, investigation, and to prevent future occurrences.
• Contact information for individuals to ask questions or learn more (toll-free number, email, or postal address).

Keep the tone clear and actionable, avoid unnecessary detail that could further expose PHI, and ensure contact points match your notice of privacy practices so individuals can easily verify authenticity.

Substitute Notice Procedures

Use substitute notice when you lack sufficient or up-to-date contact information for affected individuals. If fewer than 10 individuals are unreachable, you may use an alternative form such as telephone, email (if appropriate), or another agreed method.

If contact information is insufficient for 10 or more individuals, you must provide a conspicuous website posting on your home page for at least 90 days or use major print or broadcast media in the affected area. In either case, include a toll‑free number active for at least 90 days so individuals can determine whether their information was involved. Continue to send direct notices to those for whom valid contact information exists.

Media Notification Obligations

If a breach affects 500 or more residents of a single state or jurisdiction, notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days from discovery. A press release typically satisfies this requirement.

The media notice should mirror the content of individual notices while avoiding unnecessary detail that could further compromise privacy. Media notification is in addition to, not a substitute for, direct individual notice.

Notification to the Secretary of Health and Human Services

For breaches affecting 500 or more individuals, notify HHS without unreasonable delay and no later than 60 calendar days from discovery. For breaches affecting fewer than 500 individuals, maintain a breach log and submit those incidents to HHS no later than 60 days after the end of the calendar year in which they were discovered.

Submit complete and accurate information and update it if new facts emerge. If law enforcement has requested a delay, retain the documentation and submit once the delay period ends.

Business Associate Breach Notification

A business associate must provide business associate notification to the covered entity without unreasonable delay and no later than 60 calendar days after discovering a breach. Business associate agreements often require a shorter timeframe (for example, 10–15 days) and specify required details.

The business associate’s notice to the covered entity should identify each affected individual, describe the incident, list the types of PHI involved, outline breach mitigation steps taken, and provide any additional information the covered entity needs to complete individual, media, and HHS notifications.

Risk Assessment for Breach Determination

Notification is required unless you can show a low probability that the PHI has been compromised. Conduct and document a breach risk assessment that, at minimum, evaluates:

• Nature and extent of PHI involved, including the types of identifiers and the likelihood of re‑identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, obtaining satisfactory assurances of destruction, secure return, or verified remote wipe).

Also consider the rule’s limited exceptions, such as unintentional, good‑faith access by a workforce member within scope of authority; inadvertent disclosures between authorized persons within the same organization; or cases where there is a good‑faith belief the recipient could not reasonably retain the information. If PHI was properly encrypted or destroyed, it is not unsecured protected health information, and the encryption safe harbor applies.

FAQs.

What information must be included in a HIPAA breach notification?

Your notice must describe what happened (including breach and discovery dates), the types of PHI involved, steps individuals should take to protect themselves, what you are doing for breach mitigation and prevention, and how to contact you for more information.

When is substitute notice required for a breach?

Use substitute notice when you lack valid contact information. If fewer than 10 individuals are affected, use an alternative method such as telephone or other reasonable means. If 10 or more are affected, post a conspicuous web notice for at least 90 days or use major media in the affected area, and provide a toll‑free number active for 90 days.

How soon must the Secretary be notified of a breach?

For breaches affecting 500 or more individuals, notify HHS without unreasonable delay and no later than 60 calendar days from discovery. For fewer than 500 individuals, submit a year‑end report no later than 60 days after the end of the calendar year in which the breaches were discovered.

Can family members be notified without patient consent?

Breach notices are directed to the individual or the individual’s personal representative (for example, a parent of a minor or a legally authorized representative). You may notify a personal representative without the individual’s separate consent. Routine disclosure to other family members is generally not part of breach notification, though the Privacy Rule permits certain disclosures to family involved in care under specific circumstances.