HIPAA

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and business associates to notify individuals, HHS, and sometimes the media after a breach of unsecured PHI.
Browse HIPAA topics
Business Associate Agreements (BAA)HIPAA Breach Notification RuleHIPAA Compliance ChecklistHIPAA Privacy RuleHIPAA Security Rule

What is the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule (45 CFR Sections 164.400–414) requires covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). Established by the HITECH Act in 2009 and finalized in the 2013 Omnibus Rule, the Breach Notification Rule creates a structured process for informing affected individuals, the Department of Health and Human Services (HHS), and in certain cases the media when PHI has been compromised.

This rule works in concert with the HIPAA Security Rule and HIPAA Privacy Rule to form the complete HIPAA compliance framework. For a high-level overview, visit the HIPAA compliance page or consult the HIPAA glossary entry.

What constitutes a breach?

A breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. This is a broad definition, and understanding its boundaries is critical for building an effective response program.

The presumption of breach

Under the Omnibus Rule, any impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate can demonstrate a low probability that the PHI has been compromised. This is determined through a four-factor risk assessment.

The four-factor risk assessment

When an impermissible use or disclosure occurs, the organization must evaluate:

  1. The nature and extent of the PHI involved — disclosures involving names, Social Security numbers, and diagnosis codes carry higher risk than those with only zip codes.
  2. The unauthorized person who received the PHI — a misdirected fax to another provider presents different risks than a public database exposure.
  3. Whether the PHI was actually acquired or viewed — if forensic analysis confirms no access occurred, this weighs against a finding of compromise.
  4. The extent to which risk has been mitigated — if the recipient returned or destroyed the information, this reduces the probability of compromise.

If the risk assessment cannot demonstrate a low probability of compromise, the organization must treat the incident as a breach and proceed with notifications.

Exceptions to the breach definition

Three narrow exceptions exist: unintentional access by a workforce member acting in good faith within the scope of authority, inadvertent disclosure between persons authorized to access PHI at the same entity, and disclosure to someone who could not reasonably retain the information. Even when an exception applies, organizations should document their analysis.

Notification requirements

The Breach Notification Rule establishes distinct notification obligations depending on the size of the breach and the role of the organization.

Individual notification

Covered entities must notify each individual whose unsecured PHI has been breached. The notification must be provided without unreasonable delay and no later than 60 calendar days from the date the breach was discovered.

The notification must describe the breach (including dates), the types of PHI involved, steps the individual should take for protection, what the entity is doing to investigate and prevent future breaches, and entity contact information. Notifications must be sent by first-class mail or email (if agreed). When contact information is unavailable for 10 or more individuals, substitute notice via the entity's website (90 days) or major media is required.

HHS notification

The timeline and method for notifying HHS depend on the number of individuals affected:

  • Breaches affecting 500 or more individuals — the covered entity must notify HHS at the same time as individual notifications, no later than 60 days from discovery. These breaches are posted on the HHS "Wall of Shame" (the Breach Portal) and often attract media attention and regulatory scrutiny.
  • Breaches affecting fewer than 500 individuals — the covered entity must notify HHS within 60 days of the end of the calendar year in which the breach was discovered. These notifications are submitted through the HHS breach reporting portal as an annual log.

All HHS notifications are made through the online portal maintained by the Office for Civil Rights.

Media notification

When a breach affects 500 or more residents of a single state or jurisdiction, the covered entity must notify prominent media outlets serving that area. This notification must be provided without unreasonable delay and no later than 60 days from discovery. The media notice must contain the same elements required for individual notification.

Business associate obligations

When a business associate discovers a breach of unsecured PHI, it must notify the covered entity without unreasonable delay and no later than 60 days from discovery (or sooner if specified in the Business Associate Agreement). The notification must identify each individual whose PHI has been or is reasonably believed to have been affected, along with any other available information the covered entity needs to fulfill its own notification obligations.

The covered entity, not the business associate, is ultimately responsible for providing notifications to individuals, HHS, and the media. However, the BAA may allocate additional responsibilities.

When is a breach "discovered"?

The 60-day clock starts on the date the breach is discovered, not the date it occurred. A breach is considered discovered on the first day the entity knows of it or, by exercising reasonable diligence, would have known. Willful ignorance does not stop the clock, and delayed discovery from inadequate monitoring can itself become a compliance violation.

The role of encryption

The Breach Notification Rule applies only to unsecured PHI. PHI that has been rendered unusable, unreadable, or indecipherable to unauthorized persons is considered secured and falls outside the notification requirements.

HHS has specified two methods for securing PHI:

  • Encryption — PHI encrypted in accordance with NIST standards (currently AES-128 or stronger for data at rest, and TLS 1.2+ for data in transit) is considered secured, provided the encryption key has not been compromised alongside the data.
  • Destruction — paper PHI that has been shredded or destroyed such that it cannot be reconstructed, and electronic media that has been cleared, purged, or destroyed in accordance with NIST SP 800-88, is considered secured.

This creates a powerful incentive to encrypt ePHI at rest and in transit. If encrypted data is stolen but the key remains secure, no breach notification is required. This is why encryption, although technically an addressable specification under the Security Rule, is implemented by virtually every organization that handles ePHI.

Building a breach response process

Healthcare organizations and their technology partners should build a documented breach response process before an incident occurs. Key components include incident detection and reporting channels, a defined team for conducting the four-factor risk assessment, pre-drafted notification templates and workflows, mitigation and containment steps, comprehensive documentation (retained for at least six years), and post-incident reviews to update policies and controls.

The HIPAA compliance checklist includes breach response requirements alongside the broader compliance program.

Penalties for non-compliance

Failure to comply with the Breach Notification Rule carries penalties ranging from $100 to $50,000 per violation with annual maximums of $1.5 million per category. Delayed or insufficient notifications are among the most common findings in HHS enforcement actions. State attorneys general may also bring actions under the HITECH Act. Breaches posted on the HHS Breach Portal are publicly accessible, creating significant reputational consequences.

Related topics

security-ruleprivacy-rulebusiness-associate-agreementscompliance-checklist

Related terms

What is Access Control?What is an Audit Trail?What is a Business Associate Agreement (BAA)?What is Breach Notification?What is a Business Associate?What is a Covered Entity?What is Encryption?What is Evidence Collection?What is GRC?What is HIPAA?What is the HITECH Act?What is Incident Response?What is the Minimum Necessary Rule?What is Protected Health Information (PHI)?What is Security Awareness Training?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough