Understanding HIPAA Breach Notification Rule: Who to Notify and When

Notification Requirements for Covered Entities

The HIPAA Breach Notification Rule requires covered entities to notify specific parties after a breach of unsecured protected health information. You must complete a prompt breach investigation, determine whether the incident meets the definition of a breach, and issue covered entity notification to individuals, the Department of Health and Human Services (HHS), and sometimes the media.

Unsecured protected health information (PHI) is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, via proper encryption or destruction). If the PHI is secured, the breach notification requirements generally do not apply.

Determining whether a breach occurred

A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. You must perform a documented risk assessment considering: the nature and extent of the PHI, the unauthorized person who used or received it, whether the PHI was actually viewed or acquired, and the extent to which risk has been mitigated. If, after this analysis, there is a low probability of compromise, notification may not be required.

Narrow exceptions

• Unintentional, good‑faith access or use by a workforce member within scope of authority with no further use or disclosure.
• Inadvertent disclosure by a person authorized to access PHI to another authorized person within the same organization or business associate, with no further use or disclosure.
• A good‑faith belief that the unauthorized recipient could not reasonably retain the information.

Core obligations

• Complete a timely breach investigation and document findings.
• Implement breach mitigation measures to reduce harm and prevent recurrence.
• Deliver required notifications in the correct order and format to all applicable audiences.
• Maintain evidence of decisions, notification timelines, and communications.

Notification Responsibilities of Business Associates

Business associate obligations include notifying the covered entity without unreasonable delay and no later than 60 calendar days after discovering a breach. Your notice must include, to the extent possible, the identities of affected individuals and any information the covered entity needs to complete individual notifications.

Subcontractors of business associates must notify the business associate, which then notifies the covered entity. A business associate agreement may designate the business associate to provide individual notices directly, but the covered entity remains ultimately responsible for ensuring required notifications are completed.

Timelines for Breach Notifications

Timeframes run in calendar days. “Discovery” occurs on the first day the breach is known—or would have been known by exercising reasonable diligence—to the entity (including by any workforce member or agent).

• Individuals: without unreasonable delay and in no case later than 60 days after discovery.
• HHS breach reporting for 500 or more individuals: without unreasonable delay and no later than 60 days after discovery.
• HHS breach reporting for fewer than 500 individuals: record in a breach log and submit to HHS within 60 days after the end of the calendar year in which the breach was discovered.
• Media (when required): without unreasonable delay and no later than 60 days after discovery.

Law enforcement delay

If a law enforcement official states that notification would impede a criminal investigation or threaten national security, you must delay notifications for the period specified. Document any oral statement and obtain a written request within the required timeframe.

Content of Breach Notification Letters

Individual notices must be written in clear, plain language and include the following elements:

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• A description of the types of PHI involved (for example, name, date of birth, diagnosis, account number).
• Steps affected individuals should take to protect themselves (such as monitoring accounts or changing portal passwords).
• What the organization is doing as part of its breach investigation, breach mitigation measures, and efforts to protect against future incidents.
• Contact information for questions or assistance, including a toll‑free number, email address, website, or postal address.

Notification to Affected Individuals

Provide notice by first‑class mail to the individual’s last known address or by email if the individual has agreed to electronic notice. If you determine that an urgent situation exists due to possible imminent misuse, you may also contact individuals by telephone or other appropriate means.

Substitute notice

• Fewer than 10 unreachable individuals: use an alternative form of notice (for example, email, phone, or other means).
• 10 or more unreachable individuals: post a conspicuous notice on your website home page for at least 90 days or provide notice in major print or broadcast media in the affected area, and maintain a toll‑free number active for at least 90 days.

For minors or deceased individuals, provide notice to the parent, guardian, or personal representative, as applicable.

Reporting to Department of Health and Human Services

HHS breach reporting is mandatory. For breaches affecting 500 or more individuals, report to HHS without unreasonable delay and no later than 60 days after discovery. For breaches affecting fewer than 500 individuals, submit your annual log to HHS within 60 days after the end of the calendar year of discovery.

HHS reports typically include a summary of the incident, the number of individuals affected, notification timelines, the location and type of PHI involved, and remedial actions taken. Retain supporting documentation for your determinations and submissions.

Media Notification Criteria

You must notify prominent media outlets serving a state or jurisdiction when a breach involves more than 500 residents of that state or jurisdiction. Media notice is in addition to individual notice and must be provided without unreasonable delay and no later than 60 days after discovery.

Media notifications should contain the same core content as individual notices and be crafted to reach the affected community effectively. If a breach spans multiple states, assess whether media notification is triggered in each state based on the number of residents affected.

Summary

In practice, the Rule centers on three pillars: confirm a breach of unsecured protected health information through a documented risk assessment, meet all notification timelines, and deliver complete, plain‑language notices to the right audiences—individuals first, HHS next, and the media when thresholds are met. Strong breach investigation practices and prompt breach mitigation measures both reduce risk to individuals and demonstrate compliance.

FAQs

What information must be included in a HIPAA breach notification?

Your notice must describe what happened (including breach and discovery dates, if known), list the types of PHI involved, explain steps individuals should take to protect themselves, outline what you are doing to investigate, mitigate, and prevent future incidents, and provide clear contact information for questions or assistance.

Who is responsible for notifying affected individuals in a breach?

The covered entity is responsible for notifying affected individuals. A business associate must notify the covered entity of the breach and may send individual notices if the business associate agreement assigns that task, but the covered entity remains accountable for ensuring proper notification occurs.

When must breaches be reported to the Department of Health and Human Services?

For breaches affecting 500 or more individuals, report to HHS without unreasonable delay and no later than 60 calendar days after discovery. For fewer than 500 individuals, log the breach and submit the report to HHS within 60 days after the end of the calendar year in which the breach was discovered.

What triggers media notification under the HIPAA Breach Notification Rule?

Media notification is required when a breach involves more than 500 residents of a single state or jurisdiction. This notice must be provided without unreasonable delay and no later than 60 days after discovery, in addition to the individual notifications.