HIPAA Breach Notification Requirements
Quick Answer
HIPAA requires covered entities to notify affected individuals within 60 days of discovering a PHI breach. Breaches affecting 500+ individuals also require notification to HHS and local media. Business associates must notify covered entities without unreasonable delay.
HIPAA Breach Notification Overview
The HIPAA Breach Notification Rule (45 CFR Sections 164.400-414) requires covered entities and business associates to provide notification following a breach of unsecured PHI. A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI.
Key Takeaways
- Individual notification: within 60 days of discovering the breach
- HHS notification: within 60 days for breaches of 500+ (annual report for < 500)
- Media notification: required for breaches affecting 500+ in a single state/jurisdiction
- Business associates must notify covered entities without unreasonable delay (and within 60 days)
- Breach risk assessment determines whether notification is required (four-factor test)
What Qualifies as a Breach?
A breach is any impermissible use or disclosure of PHI that compromises its security or privacy. Under the HITECH Act, a breach is presumed unless the covered entity demonstrates a low probability that PHI was compromised, based on a four-factor risk assessment.
| Factor | What to Assess |
|---|---|
| 1. Nature and extent of PHI involved | What types of identifiers and clinical data were exposed? SSNs and diagnoses are higher risk than names alone. |
| 2. Unauthorized person who used/received PHI | Was it an employee (lower risk) or external attacker (higher risk)? Was the recipient able to retain the data? |
| 3. Whether PHI was actually acquired or viewed | Was the data actually accessed/viewed, or just potentially exposed? A lost encrypted laptop may not constitute a breach. |
| 4. Extent to which risk has been mitigated | Has the PHI been returned or destroyed? Were assurances obtained from the recipient? |
Notification Requirements
Breach Notification Timeline
Day 0: Discovery
A breach is "discovered" on the first day the covered entity knows or should have known about it. For business associates, discovery triggers notification to the covered entity.
Days 1-10: Investigation
Conduct the four-factor risk assessment to determine if notification is required. Document your analysis thoroughly.
Days 10-30: Preparation
If notification is required, prepare notification letters, determine affected individuals, and compile the notification content.
By Day 60: Individual Notification
Send written notification to all affected individuals via first-class mail or email (if patient previously agreed to email). If contact info is insufficient for 10+ individuals, post a conspicuous notice on your website or in major media.
By Day 60: HHS Notification
For breaches affecting 500+ individuals, notify HHS via the OCR breach portal within 60 days. For smaller breaches, report annually (within 60 days of the end of the calendar year).
By Day 60: Media Notification
For breaches affecting 500+ individuals in a single state/jurisdiction, notify prominent media outlets serving that area.
Notification Content Requirements
Required Elements in Breach Notification Letters
- Description of the breach (what happened, date of breach, date discovered)
- Types of PHI involved (names, SSNs, diagnoses, etc.)
- Steps individuals should take to protect themselves
- What the covered entity is doing to investigate and mitigate the breach
- Contact information for questions (toll-free phone, email, postal address)
Exceptions to Breach Notification
- Unintentional access by workforce: Good-faith, unintentional access by an authorized employee acting within their scope of authority, as long as the information isn't further disclosed impermissibly.
- Inadvertent disclosure between authorized persons: Inadvertent disclosure between authorized persons at the same covered entity or business associate, as long as the information isn't further disclosed impermissibly.
- Good faith belief of no retention: A disclosure where the covered entity has a good faith belief that the unauthorized recipient would not have been able to retain the information.
⚠️ The HHS Wall of Shame
Breaches affecting 500 or more individuals are posted on the HHS "Breach Portal" — commonly called the "Wall of Shame." This is a permanent public record. As of 2025, it lists thousands of breaches affecting hundreds of millions of individuals. Being listed causes significant reputational damage beyond the financial penalties.
Business Associate Responsibilities
Business associates have their own breach notification obligations under HIPAA. When a business associate discovers a breach, they must notify the covered entity without unreasonable delay and no later than 60 days after discovery. The notification must include the identities of affected individuals (if known) and any other available information the covered entity needs for its notification.
60 days
Max Notification Time
From discovery to individual notification
500
Threshold for Immediate HHS/Media
Breaches below 500 can be reported annually
725+
Breaches Reported in 2024
Affecting 500+ individuals each
$1.3M
Average OCR Settlement
For breach notification failures
Is a lost encrypted laptop a breach?
No, if the encryption meets NIST standards (AES-128 or higher with proper key management). HIPAA considers encrypted PHI to be "secured" (unsecured PHI safe harbor). If the device is properly encrypted, no breach notification is required even if the device is lost or stolen.
What if I'm not sure whether a breach occurred?
Under HIPAA, a breach is presumed unless you can demonstrate a low probability of compromise through the four-factor risk assessment. When in doubt, notify. The penalties for failing to notify are far worse than notifying unnecessarily.
Can I delay notification for law enforcement?
Yes. If a law enforcement official determines that notification would impede a criminal investigation, the covered entity may delay notification. This requires a written request from law enforcement, and the delay is limited to 30 days (or the duration of an oral request, up to 30 days).
What happens if I miss the 60-day notification deadline?
Failing to provide timely notification is itself a HIPAA violation and can result in separate fines and enforcement actions. OCR takes notification timeliness seriously — late notification is a common basis for enforcement actions and penalties.
Prepare Your Breach Response Plan
Find tools that help you detect, assess, and respond to HIPAA breaches within required timelines.
Browse HIPAA Tools