What the HIPAA Breach Notification Rule Is For—and Why It Matters

The HIPAA Breach Notification Rule exists to make sure you and your organization act quickly and transparently when Protected Health Information is exposed. It sets clear Breach Notification Requirements so affected individuals, regulators, and—when warranted—the media are told what happened and how risks are being contained.

Understanding who is covered, what counts as a breach, how to assess risk, and when the Encryption Safe Harbor applies helps you meet Covered Entity Responsibilities, manage Business Associate Agreements effectively, and avoid costly Civil Monetary Penalties.

Definition of a Breach

What counts as a breach

A breach is the acquisition, access, use, or disclosure of unsecured Protected Health Information (PHI) in a manner not permitted by HIPAA’s Privacy Rule. “Unsecured” means the PHI is not rendered unusable, unreadable, or indecipherable to unauthorized persons through valid encryption or proper destruction.

Presumption and “low probability” standard

Under the Rule, any impermissible use or disclosure of PHI is presumed to be a breach unless you can demonstrate, via a documented Risk Assessment, a low probability that the PHI has been compromised. That assessment determines whether notification is required.

When the clock starts

A breach is “discovered” on the first day it is known—or by exercising reasonable diligence would have been known—to the covered entity or business associate. All timelines for notice run from the date of discovery.

Covered Entities and Business Associates

Who is covered

Covered entities include health plans, health care clearinghouses, and most health care providers that transmit health information electronically for standard transactions. Business associates are vendors or contractors that create, receive, maintain, or transmit PHI on behalf of a covered entity, along with their subcontractors.

Covered Entity Responsibilities

As a covered entity, you must maintain policies, train your workforce, conduct security risk analyses, and implement administrative, physical, and technical safeguards. When a breach occurs, you are responsible for required notifications, recordkeeping, and remediation.

Business Associate Agreements

Business Associate Agreements (BAAs) must spell out each party’s duties, including breach reporting timelines, the content of reports, cooperation on investigations, and flow-down obligations to subcontractors. A strong BAA clarifies who investigates, who notifies, and how information is shared so notifications are accurate and timely.

Business associate breach duties

Business associates must notify the covered entity of breaches they discover without unreasonable delay and no later than 60 calendar days. Their notice should identify affected individuals (if known) and provide details the covered entity needs to meet its Breach Notification Requirements.

Notification Requirements

Who must be notified

• Affected individuals: Direct notice is required whenever notification is triggered.
• U.S. Department of Health and Human Services (HHS): Required for all breaches; timing depends on the number of individuals affected.
• Media: Required when a breach involves more than 500 residents of a state or jurisdiction.

Timelines

• Individuals: Without unreasonable delay and no later than 60 calendar days after discovery.
• HHS (≥500 individuals): Without unreasonable delay and no later than 60 calendar days after discovery.
• HHS (<500 individuals): No later than 60 days after the end of the calendar year in which the breach was discovered.
• Business associate to covered entity: Without unreasonable delay and no later than 60 calendar days after discovery.

Methods of individual notice

• Written notice by first-class mail to the last known address, or by email if the individual has agreed to electronic notice.
• If there is imminent risk of harm, you may use telephone or other appropriate means in addition to written notice.
• If fewer than 10 individuals have insufficient or out-of-date contact information, use an alternative method (e.g., telephone, alternative email).
• If 10 or more individuals have insufficient contact information, provide substitute notice by a conspicuous website posting or major print/broadcast media in the affected area for at least 90 days, and include a toll-free number active for the same period.

Content of the notice

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• The types of PHI involved (for example, names, addresses, Social Security numbers, diagnoses, or treatment information).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• Contact information for questions, including a toll-free number, email, or postal address.

Risk Assessment Factors

The four-factor analysis

• Nature and extent of PHI involved: Consider sensitivity (e.g., diagnoses, financial identifiers) and the likelihood of re-identification.
• The unauthorized person: Evaluate who used or received the PHI and whether they have legal obligations to protect it.
• Whether PHI was actually acquired or viewed: Determine if access was merely possible or likely occurred.
• Mitigation: Assess how effectively risks were reduced, such as obtaining satisfactory assurances of destruction or return.

Documenting the Risk Assessment

Document your analysis, decision, and rationale. Keep evidence of containment steps, forensics, and mitigation. This documentation shows why you concluded there is—or is not—a low probability of compromise.

Using results to drive action

If the assessment shows a low probability of compromise, notification may not be required. If not, proceed with notifications and strengthen safeguards, training, and monitoring to prevent recurrence.

Exclusions from Breach Definition

Three built-in exceptions

• Unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, in good faith and within scope, with no further impermissible use or disclosure.
• Inadvertent disclosure by an authorized person to another authorized person within the same covered entity, business associate, or organized health care arrangement, with no further impermissible use or disclosure.
• Situations where the covered entity or business associate has a good-faith belief the unauthorized recipient could not reasonably have retained the information.

What does not trigger notification

De-identified data and properly limited data sets without direct identifiers are not PHI. Likewise, PHI that is rendered unusable through appropriate encryption or destruction falls outside the breach notification scope.

Encryption Safe Harbor

When encryption shields you from notification

If PHI is encrypted in accordance with recognized standards and the decryption key remains secure, the information is considered “secured.” Under this Encryption Safe Harbor, the loss or theft of an encrypted device typically does not trigger breach notification.

Practical applications

• Devices: Full-disk encryption and strong key management for laptops, tablets, and smartphones containing PHI.
• Data at rest and in transit: Robust encryption for databases, backups, and transmissions between systems and partners.
• Paper records: Cross-cut shredding or equivalent destruction to render PHI unreadable and irretrievable.

Remember: If encryption is weak, misconfigured, or keys are exposed, the safe harbor may not apply, and notification could be required.

Enforcement and Penalties

How enforcement works

The HHS Office for Civil Rights (OCR) enforces the Rule. OCR can open investigations, require corrective action, enter into resolution agreements with monitoring, and—where appropriate—impose Civil Monetary Penalties. State attorneys general may also bring actions under HIPAA.

Civil Monetary Penalties

Penalties follow a tiered structure based on culpability, ranging from violations due to reasonable lack of knowledge to willful neglect not corrected. Caps and amounts are adjusted for inflation and consider factors like the nature and extent of the violation, harm caused, history of compliance, and organizational size.

Prevention and response essentials

• Maintain current policies, role-based access controls, audit logs, and incident response plans.
• Train your workforce regularly and test your breach response playbook.
• Vet vendors, execute strong Business Associate Agreements, and verify downstream safeguards.
• Document your Risk Assessment and mitigation steps thoroughly after every incident.

Conclusion

The HIPAA Breach Notification Rule protects patients and organizations by ensuring clear, timely communication when PHI is at risk. By understanding the breach definition, executing sound Risk Assessment, leveraging Encryption Safe Harbor, and aligning Covered Entity Responsibilities and BAAs, you can meet your obligations and reduce legal, financial, and reputational exposure.

FAQs

What is considered a breach under HIPAA?

A breach is any acquisition, access, use, or disclosure of unsecured PHI that is not permitted by the Privacy Rule, unless a documented Risk Assessment shows a low probability that the PHI was compromised. PHI that is properly encrypted or destroyed is not considered unsecured.

Who must be notified in a breach incident?

You must notify affected individuals. You must also notify HHS—immediately for large breaches and annually for smaller ones—and, if more than 500 residents of a state or jurisdiction are affected, prominent media outlets serving that area.

What are the timelines for breach notifications?

Provide individual notice without unreasonable delay and no later than 60 calendar days after discovery. Notify HHS within the same 60-day window for breaches affecting 500 or more individuals, and within 60 days after the end of the calendar year for breaches affecting fewer than 500 individuals.

What are the penalties for not complying with the Breach Notification Rule?

HHS OCR can require corrective action and impose Civil Monetary Penalties using a tiered structure based on culpability, with amounts and caps adjusted for inflation. Factors include the nature and extent of the violation, harm caused, prior compliance history, and the organization’s size and resources.