Small vs. Large HIPAA Breaches: Definitions, 500‑Person Threshold, and Reporting Requirements

Definitions of HIPAA Breaches

What “breach” means under the Breach Notification Rule

A HIPAA breach is any acquisition, access, use, or disclosure of unsecured Protected Health Information (PHI) that compromises its security or privacy. “Unsecured” means the PHI is not rendered unusable, unreadable, or indecipherable (for example, by strong encryption or proper destruction).

Built‑in exceptions you should know

Not every improper use or disclosure is a breach. Exceptions include good‑faith, unintentional access by an authorized workforce member; inadvertent disclosure between authorized persons within the same organization or business associate; and situations where the recipient could not reasonably retain the information.

The required risk assessment

When an incident occurs, you must perform and document a risk assessment to decide if there is a low probability that PHI was compromised. Evaluate: the nature and extent of PHI; who received or used it; whether it was actually acquired or viewed; and how effectively risk was mitigated. This Risk Assessment underpins Covered Entity Compliance decisions and whether notification is required.

500-Person Threshold Explanation

How HIPAA distinguishes small vs. large breaches

The 500‑person threshold separates reporting pathways. A breach affecting fewer than 500 individuals is considered “small,” while one affecting 500 or more individuals is “large.” The count is based on the number of affected individuals per breach.

Why “state or jurisdiction” matters

For media notification, the threshold applies to 500 or more residents within a single state or jurisdiction. For reporting to HHS, any breach affecting 500 or more individuals—regardless of state—triggers expedited reporting to HHS under the Breach Notification Rule.

Reporting Requirements for Small Breaches

Timeline and method

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. You must also log the breach and report it to HHS within 60 days of the end of the calendar year in which the breach was discovered.

What to include

Your report and individual notices should explain what happened (including breach and discovery dates), the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate and prevent future occurrences, and how to contact you. Maintain a complete breach log to support annual submission and Covered Entity Compliance audits.

Reporting Requirements for Large Breaches

Immediate obligations

For breaches affecting 500 or more individuals, notify affected individuals and HHS without unreasonable delay, and in no case later than 60 calendar days following discovery. Submit details through the HHS breach reporting process; do not wait for year‑end.

Media notification trigger

If a breach affects 500 or more residents of a single state or jurisdiction, you must also notify prominent media outlets serving that area. This is in addition to individual notification and the HHS report.

Notification Procedures

Who you must notify

• Individuals: Provide written notice by first‑class mail (or email if the individual has agreed to electronic notice).
• HHS: Report via the prescribed process—immediately for large breaches; annually for small breaches.
• Media: Notify when 500+ residents of a state or jurisdiction are affected.
• Business Associates: Must notify the covered entity without unreasonable delay and no later than 60 days, identifying affected individuals and supplying known details.

Form and content of notices

• Plain‑language description of the incident, including breach and discovery dates.
• Types of PHI involved (for example, names, diagnoses, account numbers).
• Protective steps individuals should take (such as monitoring accounts or placing fraud alerts).
• Your mitigation and prevention efforts.
• Contact methods (toll‑free number, email, website, or postal address).

Substitute notice and special rules

• If fewer than 10 individuals are unreachable, use an alternative method such as telephone.
• If 10 or more are unreachable, provide a conspicuous website posting or media notice for at least 90 days and include a toll‑free number.
• Law enforcement delay: If a law enforcement official determines notice would impede an investigation, delay notifications for the time specified.

Penalties and Enforcement

What happens if you fail to report

Failure to follow the Breach Notification Rule can lead to civil monetary penalties calculated per violation and per year, with tiers based on your level of culpability (from lack of knowledge to willful neglect). Penalties are adjusted annually and can include corrective action plans and ongoing monitoring.

How enforcement works

The HHS Office for Civil Rights (OCR) investigates complaints, conducts compliance reviews, and monitors breach reports. OCR may exercise Enforcement Discretion in limited, clearly announced circumstances, but you should not rely on discretion as a strategy. State attorneys general can also enforce HIPAA, and criminal penalties may apply to certain wrongful disclosures.

Best Practices for Breach Response

Preparation before an incident

• Maintain an Incident Response Plan that maps roles, decision trees, and approval paths for notifications.
• Encrypt PHI at rest and in transit; retire legacy systems that cannot meet modern Data Privacy Standards.
• Train workforce members routinely; run tabletop exercises focusing on detection, triage, and notification drafting.
• Harden vendor management: require business associates to notify you rapidly and share forensics.

Response after discovery

• Contain and eradicate the issue; preserve logs and evidence for the Risk Assessment.
• Complete the four‑factor analysis, document “low probability of compromise” determinations, and retain records.
• Draft notices using approved templates; verify addresses and preferred contact methods.
• Meet all timelines, coordinate HHS and media submissions where applicable, and implement corrective actions.

Continuous improvement

• Track root causes and trends to inform remediation and Covered Entity Compliance audits.
• Align safeguards with recognized security frameworks and update policies annually.

Conclusion

In short, the 500‑person threshold determines when you escalate from annual to expedited reporting and when media notice is required. Clear assessments, timely notifications, and a mature response program are the core of compliant, patient‑centered breach management.

FAQs

What constitutes a small HIPAA breach?

A small HIPAA breach is an incident involving unsecured PHI that requires notification and affects fewer than 500 individuals. You must notify affected individuals within 60 days of discovery, log the event, and report it to HHS within 60 days after the end of the calendar year.

What is the significance of the 500-person threshold?

The 500‑person threshold changes how and when you report. Breaches affecting 500 or more individuals require expedited reporting to HHS and, if 500+ residents of a single state or jurisdiction are impacted, media notification. Breaches below 500 are reported to HHS annually.

When must breaches be reported to HHS?

Large breaches (500+ individuals) must be reported to HHS without unreasonable delay and no later than 60 calendar days after discovery. Small breaches (<500 individuals) must be logged and reported to HHS within 60 days of the end of the calendar year in which they were discovered.

What are the penalties for failing to report a breach?

Penalties range by culpability tier and are assessed per violation, with annual caps that are adjusted for inflation. Consequences can include substantial civil monetary penalties, corrective action plans, mandated monitoring, and, in egregious cases, criminal exposure and state enforcement.