What Is the HIPAA Breach Notification Rule? Key Requirements and Timelines

Definition of a Breach

The HIPAA Breach Notification Rule requires you to notify specific parties when there is a breach of Unsecured PHI (Protected Health Information). A “breach” is any impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy. When Unsecured PHI is involved, a breach is presumed unless you can demonstrate—through a documented risk assessment—a low probability that the PHI has been compromised.

What counts as Unsecured PHI

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals (for example, not encrypted to a recognized standard or not properly destroyed). If PHI is properly secured, the breach reporting requirement does not apply.

Risk assessment factors

• The nature and extent of PHI involved (types of identifiers and likelihood of re-identification).
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed, or only potentially exposed.
• The extent to which risks have been mitigated (for example, obtaining written assurances of destruction or return).

Narrow Privacy Rule exceptions (not breaches)

• Unintentional acquisition, access, or use of PHI by a workforce member in good faith within scope of authority, not further used or disclosed.
• Inadvertent disclosure by a person authorized to access PHI to another authorized person within the same Covered Entity or organized health care arrangement, with no further impermissible use or disclosure.
• Disclosures where you, in good faith, believe the unauthorized recipient could not reasonably retain the information.

Notification Requirements for Covered Entities

Covered Entities must provide direct notice to affected individuals following discovery of a breach of Unsecured PHI. Notice must be made without unreasonable delay and include all information reasonably available at the time; if some details are not yet known, you must provide them as a supplemental notice when they become available.

Who must be notified

• Affected individuals (or their personal representatives) via first-class mail or email if the individual has agreed to electronic communications.
• The HHS Secretary (HHS Secretary Notification) according to the applicable timeline in the Reporting Timelines and Deadlines section.
• Media outlets when the Media Notification Rule is triggered (see Media Notification Protocols).

Form and content of individual notice

Notices must be written in plain language and include: a brief description of the breach (including date of breach and date of discovery, if known); a description of the types of PHI involved; steps individuals should take to protect themselves; what your organization is doing to investigate, mitigate harm, and prevent future incidents; and contact information (toll‑free number, email, website, or postal address) for questions.

Substitute and special notices

• If fewer than 10 individuals are unreachable, you may use alternative means such as telephone.
• If 10 or more individuals are unreachable, you must provide substitute notice via a conspicuous website posting for at least 90 days or via major print/broadcast media in the affected area, including a toll‑free number active for at least 90 days.
• For urgent situations involving imminent misuse of PHI, you may also provide telephone or other appropriate notice in addition to written notice.

Notification Requirements for Business Associates

Business Associates must notify the Covered Entity following discovery of a breach of Unsecured PHI. This notice must be provided without unreasonable delay and no later than 60 calendar days from discovery, subject to any stricter timelines in the Business Associate Agreement.

What Business Associate notice must include

• Identification of each affected individual (to the extent known).
• Information the Covered Entity needs to provide compliant notices, including a description of the incident, types of PHI involved, dates, and known mitigation steps.
• Ongoing updates as more information becomes available.

Downstream obligations

Business Associates must require their subcontractors to report breaches to them under similar terms, ensuring timely flow of information so the Covered Entity can meet all notification deadlines.

Reporting Timelines and Deadlines

Clock start: discovery

Discovery occurs on the first day the breach is known to you—or would have been known by exercising reasonable diligence—by any workforce member or agent (other than the person committing the breach). All deadlines below are measured in calendar days.

Core deadlines

• Individuals: without unreasonable delay and no later than 60 days after discovery.
• Business Associates to Covered Entities: without unreasonable delay and no later than 60 days after discovery (your contract may require faster reporting, such as 5–15 days).
• HHS Secretary Notification (≥500 affected individuals in a single state/jurisdiction): without unreasonable delay and no later than 60 days after discovery.
• HHS Secretary Notification (<500 affected individuals): maintain a breach log and report to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered.
• Media Notification Rule (≥500 residents of a state/jurisdiction): without unreasonable delay and no later than 60 days after discovery.

Permissible law enforcement delay

If a law enforcement official states that notification would impede a criminal investigation or damage national security, you must delay notices. A written statement may specify the delay period; an oral statement must be documented and permits a delay of up to 30 days, unless a written statement extending the delay is provided during that period.

Media Notification Protocols

When a breach involves 500 or more residents of a single state or jurisdiction, the Media Notification Rule requires you to notify prominent media outlets serving that area. This is in addition to direct individual notices and must occur without unreasonable delay and within 60 days of discovery.

Content and method

• Issue a press release or similar communication that includes the same core content as individual notices.
• Ensure messaging is accurate, plain‑language, and consistent with your investigation and mitigation steps.
• Media notice does not replace the obligation to notify each affected individual directly.

Substitute media notice for unreachable individuals

If 10 or more individuals are unreachable, you may use a major print or broadcast outlet in the relevant geographic area as substitute notice and/or a 90‑day website posting with a toll‑free number, as described earlier.

Documentation and Recordkeeping

Maintain thorough, contemporaneous records for at least six years from the date of creation or last effective date, whichever is later. Good records prove compliance and support your risk posture.

What to keep

• Incident reports, forensic findings, and the documented risk assessment supporting whether the event is a reportable breach.
• Copies of all notices sent to individuals, the HHS Secretary, and the media, plus timing evidence (mailing dates, press release dates).
• Breach log for incidents affecting fewer than 500 individuals, retained for annual HHS submission.
• Law enforcement delay requests and your documentation of any oral statements.
• Current policies and procedures, workforce training records, sanction logs, Business Associate Agreements, and evidence of safeguards (for example, encryption and destruction certificates).

Mitigation and Investigation Procedures

Responding effectively protects individuals and demonstrates compliance with the HIPAA Breach Notification Rule. Build an incident response plan that is tested, role‑based, and time‑bound.

Immediate actions

• Contain and eradicate: isolate affected systems, disable compromised accounts, stop further disclosures, and preserve logs and evidence.
• Engage key teams: privacy, security, legal/compliance, executive leadership, and relevant vendors or Business Associates.
• Assess patient safety risks and provide interim safeguards as needed.

Investigation and risk assessment

• Determine what PHI was involved, how it was accessed, and whether it was actually viewed or exfiltrated.
• Apply the four risk assessment factors and document rationale for breach/not a breach determinations.
• Coordinate with law enforcement when appropriate; document and honor any required delays.

Mitigation and remediation

• Retrieve or obtain satisfactory assurances of destruction of improperly disclosed PHI when feasible.
• Offer protective services when appropriate (for example, credit monitoring for Social Security number exposures).
• Correct control gaps (for example, encrypt devices, enforce multi‑factor authentication, tighten access controls, patch vulnerabilities, and update workforce training).

Governance and continuous improvement

• Sanction workforce members when policies are violated and document actions taken.
• Review and revise policies, Business Associate oversight, and testing plans based on lessons learned.
• Report outcomes to leadership and track metrics to reduce future incidents.

In summary, the HIPAA Breach Notification Rule sets clear expectations: determine whether Unsecured PHI was compromised, notify affected individuals and regulators on time, use the Media Notification Rule when thresholds are met, and maintain strong documentation to show compliance.

FAQs

What constitutes a breach under the HIPAA Breach Notification Rule?

A breach is an impermissible acquisition, access, use, or disclosure of Unsecured PHI that compromises its security or privacy. A breach is presumed when Unsecured PHI is involved unless a documented risk assessment shows a low probability of compromise, and limited Privacy Rule exceptions apply.

When must covered entities notify affected individuals?

Covered Entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. Notice must be in plain language and include the required content elements, with supplemental notices if new information emerges.

How soon must business associates report breaches to covered entities?

Business Associates must notify the Covered Entity without unreasonable delay and no later than 60 calendar days from discovery, providing available details needed for compliant notices and continuing to update the Covered Entity as more information becomes known. Contracts may require faster reporting.

What information must be included in a breach notification?

Each notice must include: a description of what happened (including dates), the types of PHI involved, steps individuals should take to protect themselves, what your organization is doing to investigate, mitigate, and prevent recurrence, and clear contact information (for example, a toll‑free number or email) for questions.