HIPAA Breach Notification Requirements: Timelines, Rules, and What to Do First

This guide walks through exactly what the HIPAA Breach Notification Rule requires, who you must notify, when, and how to determine whether notification is required in the first place.

The Breach Notification Rule: Subpart D

The HIPAA Breach Notification Rule lives in 45 CFR Part 164, Subpart D (sections 164.400 through 164.414). It applies to all HIPAA covered entities and their business associates.

Under 45 CFR 164.402, a breach is defined as the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of that information. The key word is “unsecured.” If the data was properly encrypted or destroyed before the incident, different rules apply (more on that below).

An impermissible use or disclosure is presumed to be a breach unless you can demonstrate, through a documented risk assessment, that there is a low probability the PHI was compromised.

Three Narrow Exceptions

45 CFR 164.402 carves out three scenarios that do not qualify as a breach:

1. Unintentional acquisition by a workforce member. A staff member accesses PHI in good faith, within the scope of their authority, and does not further use or disclose the information impermissibly.
2. Inadvertent disclosure between authorized persons. PHI is shared between two people authorized to access it at the same covered entity, business associate, or organized health care arrangement, and the information is not further disclosed.
3. Inability to retain the information. PHI is disclosed to an unauthorized person, but that person could not reasonably have retained it. For example, a misdirected fax that was immediately returned without being read.

If your incident does not fall into one of these three categories, you must move to the four-factor risk assessment.

The Four-Factor Risk Assessment

Before you send notifications, you need to determine whether notification is actually required. 45 CFR 164.402(2) establishes a four-factor test. You must evaluate:

1. The nature and extent of the PHI involved. What types of identifiers were exposed? Did the breach involve Social Security numbers, diagnoses, treatment records, financial data? The more sensitive the data, the higher the risk.
2. The unauthorized person who used the PHI or to whom it was disclosed. Was it an employee at another covered entity who is bound by HIPAA? Or was it a completely unauthorized third party? The recipient’s obligations matter.
3. Whether the PHI was actually acquired or viewed. A laptop stolen from a locked car is different from confirmed evidence that someone accessed the files on it. If you can demonstrate the data was never actually viewed, the risk is lower.
4. The extent to which the risk to the PHI has been mitigated. Did you retrieve the information? Did the recipient confirm destruction? Did you obtain written assurances that the data was not retained or further disclosed?

If this analysis demonstrates a low probability that the PHI was compromised, you are not required to notify. But the analysis itself must be documented regardless of the outcome. OCR can request this documentation at any time, and “we decided it wasn’t a big deal” is not a defensible position.

For organizations that lack a structured process for conducting this assessment, building one into your incident management program is not optional. It is a regulatory expectation.

The 60-Day Notification Timeline

The clock is the most unforgiving part of the rule. Under 45 CFR 164.404(b), covered entities must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovering the breach.

Discovery does not mean the day leadership finds out. It means the first day any workforce member knew, or by exercising reasonable diligence would have known, about the breach. If a front-desk employee notices suspicious access on day one but doesn’t report it until day fifteen, the clock started on day one.

This is why breach detection and internal reporting procedures are critical. Every day of internal delay eats into your 60-day window. If you have not already stress-tested your response procedures, the first 72 hours of a ransomware incident will teach you where the gaps are, the hard way.

Who You Must Notify

The Breach Notification Rule requires three separate notifications, depending on the size of the breach. Each has its own rules.

1. Individual Notification

Under 45 CFR 164.404, you must notify every individual whose unsecured PHI was breached. The notification must be in writing, sent by first-class mail (or email if the individual previously agreed to electronic communication). It must include:

• A description of what happened, including the date of the breach and the date of discovery
• The types of PHI involved (e.g., name, Social Security number, diagnosis, treatment information)
• Steps the individual should take to protect themselves
• What your organization is doing to investigate, mitigate harm, and prevent future breaches
• Contact information, including a toll-free number that must remain active for at least 90 days

If you have insufficient or outdated contact information for 10 or more individuals, you must post a substitute notice on your website for 90 days or provide notice through major print or broadcast media in the affected area.

2. Media Notification

Under 45 CFR 164.406, if a breach affects more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area. The timeline is the same: no later than 60 days after discovery. The content requirements mirror the individual notice.

This is not a press release you get to carefully stage. It is a regulatory obligation, and the clock does not pause while your communications team drafts talking points.

3. HHS Secretary Notification

Under 45 CFR 164.408, every breach must be reported to the Secretary of Health and Human Services. The timing depends on the number of individuals affected:

• 500 or more individuals: Notify the Secretary at the same time you notify individuals, within 60 days.
• Fewer than 500 individuals: You may log these breaches and submit them annually, no later than 60 days after the end of the calendar year in which they were discovered.

All notifications go through the OCR Breach Portal. Breaches affecting 500 or more individuals are posted publicly on what the industry calls the “Wall of Shame.” The Change Healthcare breach, which reshaped how the industry thinks about third-party risk, sat at the top of that list for months.

The Encryption Safe Harbor

There is one way to avoid the notification obligation entirely: encrypt the data before the breach occurs.

Under 45 CFR 164.402, “unsecured PHI” means PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through a technology or methodology specified by the Secretary. HHS guidance points to two standards:

• Data at rest: Encryption consistent with NIST Special Publication 800-111
• Data in transit: Encryption processes validated under FIPS 140-2

If the PHI involved in the breach was encrypted to these standards and the encryption key was not compromised in the same incident, the breach notification rule does not apply. This is the safe harbor.

This is why encryption is not just a best practice but a strategic compliance decision. If you encrypt everything to the required standard, a stolen laptop or compromised server does not automatically trigger a 60-day notification sprint.

The safe harbor also applies to PHI that has been properly destroyed. Paper records that have been shredded and electronic media that has been cleared, purged, or destroyed in accordance with NIST Special Publication 800-88 are considered “secured.”

Business Associate Breach Notification Obligations

Business associates have their own notification obligations under 45 CFR 164.410. When a business associate discovers a breach of unsecured PHI, it must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery.

The notification must include:

• The identity of each individual whose PHI was or is reasonably believed to have been affected
• Any other information the covered entity will need to fulfill its own notification obligations under 45 CFR 164.404(c)

The covered entity remains ultimately responsible for notifying individuals, the media, and HHS. But if a business associate drags its feet, the covered entity’s 60-day clock still starts when the business associate discovers (or should have discovered) the breach. This creates a dangerous gap. If your business associate agreement does not define specific, shorter notification timelines, you are relying on the federal maximum, and that may not leave you enough time to investigate, draft notices, and meet your own deadline.

The doubling of healthcare breaches in 2025 was driven in large part by business associate incidents. Your BA agreements should really be buttoned up. Have an Attorney review when/if necessary. Your vendor oversight program needs to be active, not a folder of signed contracts gathering dust.

State Breach Notification Laws

HIPAA sets the floor. State laws can, and frequently do, set a lower ceiling on timelines and a wider scope on what counts as reportable.

Key areas where state laws add obligations:

• Shorter timelines. California now requires individual notification within 30 days of discovery and attorney general notification within 15 calendar days. Several other states mandate notification within 30 to 45 days, or as soon as possible.
• Broader data definitions. Some states regulate “medical information” or “health insurance information” beyond HIPAA’s definition of PHI. Biometric data is increasingly included.
• Additional notification recipients. Many states require notification to the state attorney general at lower thresholds than HIPAA’s 500-person trigger. Some require notice to consumer reporting agencies.
• Specific content requirements. Certain states mandate particular language, formatting, or subject lines in breach notification letters.

The practical consequence: you must comply with both HIPAA and every applicable state law, and when they conflict, you follow whichever is more protective of the individual. For multi-state practices, this means tracking notification requirements across every jurisdiction where affected individuals reside.

Penalties for Late or Missing Notifications

OCR enforces breach notification requirements under 45 CFR 164.414 with the same tiered penalty structure as other HIPAA violations:

Tier	Knowledge Level	Per-Violation Range
1	Did not know (and reasonably should not have known)	$141 to $36,298
2	Reasonable cause, not willful neglect	$1,452 to $72,596
3	Willful neglect, corrected within 30 days	$14,522 to $72,596
4	Willful neglect, not timely corrected	$72,596 minimum

The annual maximum for identical violations is $2,134,831 per tier. And penalties stack. A late notification, a missing risk assessment, and an inadequate BAA can each constitute separate violations arising from a single incident.

In 2025, OCR closed 21 enforcement actions with financial penalties. Several specifically included breach notification failures. Syracuse ASC paid $250,000 after failing to timely notify 24,891 individuals and HHS following a ransomware attack. Cadia Healthcare settled for $182,000 in part for failing to send breach notifications after posting patient information publicly. Delaying notification, even if you ultimately send it within 60 days, can constitute an “unreasonable delay” and trigger enforcement. The regulation says “without unreasonable delay and in no case later than 60 days.” Those are two separate requirements.

State attorneys general can pursue separate penalties under state law. And class action plaintiffs’ attorneys monitor the HHS breach portal daily.

Step-by-Step Breach Notification Action Checklist

When you discover or suspect a breach, follow this sequence:

Immediate (Day 0 to Day 3)

1. Contain the incident. Stop the unauthorized access or disclosure. Isolate affected systems if necessary.
2. Activate your incident response team. This includes your privacy officer, security officer, legal counsel, and IT leadership. If you do not have a documented incident management plan, you are already behind.
3. Document everything. Record the date and time of discovery, who discovered it, what happened, and what PHI may be involved. The discovery date starts your 60-day clock.
4. Preserve evidence. Do not wipe, reformat, or “fix” affected systems before forensic review.

Investigation Phase (Day 3 to Day 30)

5. Determine if the incident qualifies as a breach. Apply the three exceptions under 45 CFR 164.402.
6. Conduct the four-factor risk assessment. Document each factor thoroughly. This is your primary evidence if OCR investigates.
7. Determine the scope. Identify every individual whose PHI was affected. Count affected individuals per state for media notification thresholds.
8. Check encryption status. Was the affected PHI encrypted to NIST standards? Was the key compromised? If the safe harbor applies, document it and stop here on notification (but still complete your internal investigation).
9. Review your BAAs. If a business associate was involved, confirm they have notified you as required. The BA’s obligation is to inform the covered entity that the incident occurred — not to assist with the CE’s response or patient notification process.

Notification Phase (Day 15 to Day 55)

10. Draft individual notification letters. Include all elements required by 45 CFR 164.404(c). Have legal counsel review.
11. Check state requirements. Identify every state where affected individuals reside. Determine if any state law requires faster notification, additional content, or attorney general notice.
12. Prepare media notification if more than 500 residents of any single state are affected.
13. Submit the HHS breach report through the OCR breach portal if 500 or more individuals are affected.
14. Send individual notifications by first-class mail or approved electronic means. Post substitute notice on your website if needed.
15. Issue media notice to prominent outlets in affected states.

Post-Notification (Day 55+)

16. Log smaller breaches (under 500 individuals) for annual reporting to HHS by March 1 of the following year.
17. Conduct a post-incident review. What failed? What needs to change?
18. Update your risk assessment. A breach is direct evidence that your prior risk analysis missed something.
19. Revise policies and training. Address the root cause, not just the symptoms.
20. Retain all documentation for at least six years, per HIPAA’s general retention requirements.

The Bottom Line

The breach notification rule is not where you want to learn about compliance gaps. The organizations that handle breaches well are the ones that prepared before the breach happened. They have a current risk assessment, an incident response plan that has been tested, BA agreements with enforceable notification timelines, and encryption deployed as a standard, not an afterthought.

If you are not sure where your organization stands, a HIPAA compliance assessment will surface the gaps before OCR does. For medical practices specifically, the requirements apply with the same force regardless of your size. A two-provider practice faces the same 60-day deadline as a health system with 50 hospitals.

The breach notification rule exists because patients have a right to know when their health information has been compromised. Meeting that obligation on time, completely, and accurately is not just a regulatory checkbox. It is the minimum standard of accountability your patients expect.