Understanding Breach Notification Requirements Under HITECH

Breach Notification Timing and Deadlines

What starts the clock

A breach notification obligation arises when there is an impermissible use or unauthorized disclosure of Unsecured Protected Health Information (PHI) that is not otherwise exempt and a risk assessment does not show a low probability of compromise. The “discovery” date is the day the breach is known—or would have been known with reasonable diligence—by the Covered Entity (CE) or its Business Associate (BA), including knowledge by any workforce member or agent.

Core time limits

• Individuals: Notify without unreasonable delay and in no case later than 60 calendar days after discovery.
• Media: For incidents meeting media criteria, notify without unreasonable delay and no later than 60 days after discovery.
• Department of Health and Human Services Secretary: For breaches affecting 500 or more individuals, notify without unreasonable delay and no later than 60 days after discovery; for fewer than 500, submit an annual log no later than 60 days after the end of the calendar year.
• Business Associates to Covered Entities: BAs must notify the CE without unreasonable delay and no later than 60 days after discovery, supplying details needed for downstream notices.

Law enforcement delay

If a law enforcement official determines that notice would impede a criminal investigation or threaten national security, a CE or BA must delay notification for the period specified in a written statement. If the request is oral, document the official’s identity and delay for up to 30 days unless a written request specifying a longer period is received during that time.

Secured vs. unsecured PHI

HITECH applies to Unsecured Protected Health Information. PHI rendered unusable, unreadable, or indecipherable to unauthorized individuals (for example, through strong encryption or proper destruction under HHS guidance) is considered “secured” and is not subject to breach notification.

Individual and Substitute Notifications

Method and form

Covered Entities must provide written notice in plain language to each affected individual at the last known address by first-class mail. If the individual agrees to electronic notice, email is permitted. If the individual is deceased, notice goes to the next of kin or personal representative when known.

Required content

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• A description of the types of PHI involved (for example, names, Social Security numbers, diagnoses).
• Steps affected individuals should take to protect themselves.
• What the CE or BA is doing to investigate, mitigate harm, and prevent further incidents.
• Contact information for questions (toll-free number, email, or postal address).

Substitute Notice

• Fewer than 10 individuals with insufficient or out-of-date contact information: Use an alternative method such as telephone, email, or other appropriate means.
• 10 or more individuals with insufficient or out-of-date contact information: Provide a conspicuous Substitute Notice via a homepage web posting or through major print or broadcast media in areas where affected individuals likely reside. Maintain the web posting for at least 90 days and include a toll-free number active for at least 90 days.

Urgent situations

If possible misuse of PHI presents imminent risk of harm, you may also provide telephone or other rapid notice in addition to the required written notification.

Media Notification Criteria

When a breach involves more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. The media notice should include the same core elements as individual notices and may be issued as a press release. Media notice does not replace individual notice; you must do both when criteria are met.

Reporting Procedures to HHS

500 or more individuals

Report to the Department of Health and Human Services Secretary through the breach portal without unreasonable delay and within 60 days of discovery. Be prepared to provide the incident description, number of affected individuals, the types of PHI involved, mitigation steps, and a point of contact.

Fewer than 500 individuals

Maintain a log of all such breaches and submit an annual report to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred. Keep documentation supporting your risk assessment and notification decisions.

Business Associate Breach Responsibilities

Business Associates must implement safeguards, monitor Workforce Member Access, and promptly investigate suspected incidents. Upon discovery of a breach of Unsecured Protected Health Information, a BA must notify the Covered Entity without unreasonable delay and no later than 60 days.

• Content of BA notice to CE: Identification of each affected individual (if known), a description of what happened, the types of PHI involved, the date of discovery, and any mitigation steps taken.
• Cooperation: BAs must provide information the CE needs to notify individuals, the media, and the Department of Health and Human Services Secretary, and to meet any state-law obligations.
• Contracts: Business Associate Agreements may—and often do—set earlier internal reporting timeframes and detailed coordination procedures.

Exceptions to Notification Requirements

Definition-based exceptions

• Unintentional acquisition, access, or use of PHI by a workforce member or agent acting in good faith within the scope of authority, if no further improper use or disclosure occurs.
• Inadvertent disclosure by a person authorized to access PHI to another authorized person within the same CE, BA, or organized health care arrangement, with no further improper use or disclosure.
• Good-faith belief that the unauthorized recipient could not reasonably have retained the information (for example, a misdirected letter returned unopened).

Risk assessment standard

An impermissible use or disclosure is presumed to be a breach unless you demonstrate a low probability of compromise based on a documented assessment of at least: (1) the nature and extent of PHI involved, (2) the unauthorized person who used or received the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated.

Enforcement and Penalties for Non-Compliance

Regulatory oversight

The HHS Office for Civil Rights (OCR) enforces HIPAA and HITECH. OCR may conduct investigations, audits, and compliance reviews, leading to corrective action plans, resolution agreements, or civil monetary penalties. State attorneys general may also bring civil actions on behalf of residents.

Civil and Criminal Penalties

Civil penalties follow a four-tier structure that scales with the level of culpability—from lack of knowledge to willful neglect not corrected. Penalties are assessed per violation with annual caps per violation category and are adjusted for inflation. Criminal penalties, enforced by the Department of Justice, may apply for knowingly obtaining or disclosing PHI: up to fines and imprisonment terms that increase for false pretenses and for offenses committed for commercial advantage, personal gain, or malicious harm.

Mitigating risk

• Implement administrative, physical, and technical safeguards to prevent incidents.
• Encrypt and properly destroy PHI to avoid Unsecured Protected Health Information exposures.
• Train workforce members, monitor access, and document investigations and decisions.
• Test and maintain an incident response plan to meet timing and content requirements.

Conclusion

Understanding breach notification requirements under HITECH helps you respond quickly, meet deadlines, and reduce regulatory risk. Focus on timely notification, precise content, proper use of Substitute Notice, prompt HHS reporting, and tight coordination with Business Associates. Strong safeguards and documentation will minimize the chance of a breach and support compliance if one occurs.

FAQs.

What is the deadline for breach notification under HITECH?

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovering a breach. The same 60-day outer limit generally applies to media notices (when required) and to notifying the Department of Health and Human Services Secretary for breaches affecting 500 or more individuals.

How must covered entities notify affected individuals?

Provide written notice in plain language by first-class mail to the last known address, or by email if the individual agreed to electronic notice. If contact information is insufficient or out-of-date, use appropriate Substitute Notice methods; for 10 or more such individuals, post a conspicuous website notice or notify major media and maintain a toll-free number for at least 90 days.

When is media notification required?

Notify prominent media outlets when a breach involves more than 500 residents of a single state or jurisdiction. This media notice must occur without unreasonable delay and no later than 60 days after discovery and does not replace individual notices.

What are the penalties for failing to comply with breach notification requirements?

OCR can impose tiered civil monetary penalties per violation with annual caps, and may require corrective action plans. Serious cases may trigger criminal prosecution for wrongful uses or disclosures of PHI, with fines and potential imprisonment, especially when done under false pretenses or for personal gain.