When to Notify the Media of a Breach: HIPAA’s 500+ Rule and 60‑Day Deadline

HIPAA Breach Notification Requirements

HIPAA’s Breach Notification Rule requires you to notify specific parties when there is a breach of Unsecured Protected Health Information (unsecured PHI). “Unsecured” means the data was not rendered unusable, unreadable, or indecipherable through approved methods such as strong encryption or proper destruction. If a breach involves unsecured PHI, notification duties are triggered.

Covered Entities—including health plans, most health care providers, and health care clearinghouses—and their Business Associates must act. Business Associates must alert the Covered Entity without unreasonable delay (and no later than 60 days) so the Covered Entity can complete notifications. Your obligations extend to individuals, the Department of Health and Human Services Reporting process (via the Office for Civil Rights), and, in some cases, Media Outlet Notification.

What triggers notification

A breach is generally an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. You must perform a documented risk assessment considering: the nature and extent of PHI involved, who used or received it, whether it was actually acquired or viewed, and the extent to which risk has been mitigated. If the risk is not low, you must notify.

Who must be notified

• Impacted individuals: Always, when their unsecured PHI is breached.
• HHS/OCR: For 500+ affected individuals, within 60 days of discovery; for fewer than 500, within 60 days after the end of the calendar year.
• Media: Only when the “500+ in a state or jurisdiction” threshold is met.

Media Notification Thresholds

You must notify prominent media outlets serving a state or jurisdiction when a breach involves unsecured PHI of 500 or more residents of that single state or jurisdiction. The count is by place of residence, not where your organization is located.

The threshold applies per state or jurisdiction. If 800 individuals are affected across two states but no single state has 500 or more residents impacted, Media Outlet Notification is not required. If two states each have 500+, you issue separate notices for each jurisdiction.

Do not confuse this with “substitute notice” for individual notifications. Substitute notice (for 10+ individuals with insufficient contact info) may involve local media in the affected area, but it is different from the state-level 500+ media rule.

Timing and Deadlines for Media Notices

Media notifications must be provided without unreasonable delay and in no case later than 60 calendar days following discovery of the breach. “Discovery” is the date the breach is known—or by exercising reasonable diligence would have been known—to your organization.

Law enforcement may request a delay if a notice would impede an investigation or threaten national security. Document any such request and pause the clock for the authorized period only. Align your Notification Timing Compliance program so media notices, individual letters, and HHS reporting for 500+ breaches are coordinated to meet the same 60‑day outer limit.

Remember: for breaches involving fewer than 500 individuals, HHS reporting follows the annual timeline, but individual notices still follow the “without unreasonable delay and no later than 60 days” rule.

Content Requirements for Media Notifications

Media notices are typically press releases directed to prominent outlets serving the affected state or jurisdiction. Use clear, plain language and include only what is necessary—never additional PHI. Include:

• A brief description of what happened, including the date of the breach and the date of discovery (if known).
• The types of unsecured PHI involved (for example, name, address, date of birth, medical record number, diagnosis, treatment information, Social Security number).
• Steps individuals should take to protect themselves (such as monitoring accounts, placing fraud alerts, or resetting credentials).
• What you are doing about it: investigation status, containment, Mitigation of Breach Harm, and measures to prevent recurrence (policy updates, technical safeguards, training).
• How to contact you for more information: toll‑free phone number, email, website, or postal address.

Coordinate messaging so it is consistent across individual letters and your Department of Health and Human Services Reporting submission. Keep copies of the notice, distribution lists, and publication confirmations for your records.

Steps for Mitigating and Investigating Breaches

Immediate containment

• Stop the impermissible use or disclosure; disable access, isolate affected systems, and secure backups.
• Preserve logs and evidence to support forensics and root‑cause analysis.

Risk assessment and documentation

• Complete the four‑factor risk assessment and determine whether unsecured PHI was compromised.
• Document scope, data elements, affected populations, and whether the information was actually viewed or exfiltrated.

Mitigation of Breach Harm

• Retrieve or delete wrongly disclosed data where feasible; reset credentials; enable multi‑factor authentication.
• Offer support such as call‑center assistance and, where appropriate, credit or identity monitoring.
• Remediate controls: patch systems, tighten access, update encryption, and retrain workforce members.

Notification preparation and coordination

• Assemble required content for individual, media (if applicable), and HHS notices; confirm address quality and language needs.
• Set an internal clock to meet the 60‑day outside deadline, and send as soon as practical.
• Engage legal counsel and, when needed, law enforcement to manage any investigation‑related delays.

Penalties for Non-Compliance

Failure to comply with the Breach Notification Rule can lead to civil monetary penalties, resolution agreements, and multi‑year corrective action plans enforced by HHS/OCR. Penalties scale by violation tier (from lack of knowledge to willful neglect), duration, and organizational posture toward compliance.

Additional exposure can come from state attorneys general, contractual claims, class actions, and reputational damage—including listing on HHS’s public breach portal for incidents affecting 500+ individuals. Weak Notification Timing Compliance and poor documentation are common aggravating factors; robust mitigation and prompt action are mitigating factors.

Differences Between Media and Individual Notifications

• Trigger: Individual notice is required for every affected person when unsecured PHI is breached; media notice is required only when 500+ residents of a single state or jurisdiction are affected.
• Audience and purpose: Individual letters guide people on personal risk and protective steps; media notices inform the broader public and promote transparency at scale.
• Timing: Both must be sent without unreasonable delay and no later than 60 days after discovery; HHS reporting aligns with these timings for 500+ incidents.
• Method: Individual notices are direct (mail or email). Media notices are press releases to prominent outlets serving the state or jurisdiction.
• Substitute notice: For 10+ individuals with insufficient contact info, you must provide substitute individual notice (e.g., website posting or local media). This is separate from the 500+ state‑level media requirement.

Key takeaways

If unsecured PHI for 500+ residents of any one state or jurisdiction is breached, issue a media notice and report to HHS within 60 days of discovery—while notifying each affected individual. Build processes that prioritize rapid investigation, Mitigation of Breach Harm, and airtight documentation to meet the Breach Notification Rule and protect patients’ trust.

FAQs

What is the 500+ rule for media notification?

The 500+ rule requires you to notify prominent media outlets serving a state or jurisdiction when a breach involves unsecured PHI of 500 or more residents of that single state or jurisdiction. The count is per jurisdiction; you issue a separate notice for each state or jurisdiction that meets or exceeds 500 residents affected.

When must media be notified after a breach?

You must notify the media without unreasonable delay and in no case later than 60 calendar days after discovering the breach. The 60‑day clock starts on the date of discovery, and it can be temporarily paused only if law enforcement formally requests a delay.

What information must be included in media notifications?

Include a plain‑language description of what happened (with breach and discovery dates, if known), the types of unsecured PHI involved, steps individuals should take, your mitigation and prevention actions, and clear contact information such as a toll‑free number, email, website, or mailing address.

Are media notifications required for breaches affecting fewer than 500 individuals?

No. Media notice is not required below 500 residents in any single state or jurisdiction. However, you must still notify each affected individual and complete Department of Health and Human Services Reporting on the annual timeline for smaller breaches. Note that substitute individual notice may involve local media if 10+ individuals have insufficient contact information, which is different from the 500+ media rule.