HIPAA Breach Notification Rule: Compliance Guide

One Guy Consulting
HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)
13 min read

The breach notice rule is one of HIPAA's most demanding rules. When a breach of unsecured health data occurs, covered groups and business associates must act fast. Failing to meet notice rules adds penalties, legal liability, and lasting reputational damage.

This guide covers every part of HIPAA breach notice rule-keeping. It walks through determining whether an incident is reportable, meeting timelines, and writing down your response. It also covers how federal and state rules interact.

Understanding the Breach notice Rule

What counts as a Breach

The HIPAA Breach notice Rule is codified at 45 CFR Parts 164.400-414. It defines a breach as the getting, access, use, or sharing of PHI not allowed under the Privacy Rule. The incident must compromise the security or privacy of the PHI.

Not every security incident is a breach. The definition has key qualifications:

  • The incident must involve PHI. Security events on systems without PHI do not trigger HIPAA notice rules.
  • The access or sharing must violate the Privacy Rule. Authorized uses of PHI, even if they seem wrong, may not be breaches if they fall within allowed categories.
  • The security or privacy of the PHI must be compromised. This requires a formal risk review to check whether the incident poses a meaningful risk to affected people.

Three Exceptions to the Breach Definition

The Breach notice Rule has three narrow exceptions. In these cases, an not allowed use or sharing of PHI does not count as a breach:

  1. Unintentional getting by a team member: Good-faith, unintentional getting, access, or use of PHI by a team member acting within their authority. The information must not be further used or disclosed in a non-allowed way.

    .

  2. Inadvertent sharing between authorized persons: Inadvertent sharing by one authorized person to another authorized person at the same covered group or business associate. The information must not be further used or disclosed in a non-allowed way.

    .

  3. Good-faith belief of inability to retain: A sharing where the covered group or business associate has a good-faith belief that the unapproved recipient could not reasonably have retained the information.

    .

If none of these exceptions apply, the practice must do a risk review to decide if notice is needed.

The Four-Factor Risk review

When an not allowed use or sharing of PHI occurs and no exception applies, the covered group must do a risk review. This review checks four specific factors to determine if the incident compromises PHI security or privacy.

Factor 1: Nature and Extent of PHI Involved

Evaluate the types and sensitivity of PHI involved in the incident.

Consider:.

  • What specific data elements were exposed (names, diagnoses, Social Security numbers, financial information).
  • Whether the PHI includes sensitive categories such as mental health, substance abuse, HIV/AIDS, or genetic information.
  • The volume of records affected.
  • Whether the PHI includes enough information to identify people directly.

More sensitive and more identifiable information raises the chance that the incident is a reportable breach.

Factor 2: The Unauthorized Person Who Used or Received the PHI

Identify who impermissibly accessed or received the PHI. Evaluate the risk tied to that person's access.

Consider:.

  • Whether the recipient is a covered group or business associate with their own rules to protect PHI.
  • Whether the recipient has a professional duty of data privacy (such as a physician at another practice).
  • Whether the recipient is an unknown or malicious actor.
  • Whether the recipient has shown any intent to misuse the information.

sharing to another covered group carries lower risk than exposure to unknown threat actors.

Factor 3: Whether the PHI Was Actually Acquired or Viewed

Determine whether the PHI was actually accessed, viewed, or acquired. This differs from simply being exposed to the possibility of access.

Consider:.

  • Whether audit logs confirm that data was actually accessed or downloaded.
  • Whether the exposure was theoretical (for example, a lost unencrypted laptop recovered with no sign of access).
  • Whether forensic analysis can determine the extent of actual data access.
  • The duration of the exposure period.

Evidence that PHI was not actually viewed reduces the risk. It does not eliminate it entirely.

Factor 4: Extent to Which the Risk Has Been Reduced

Evaluate the steps taken to reduce the risk of harm after the incident.

Consider:.

  • Whether the PHI was recovered before it could be further disclosed.
  • Whether the recipient gave assurances that the information was destroyed and not retained.
  • Whether the recipient can be trusted to honor destruction assurances.
  • Whether tech measures are in place to prevent further access.

Effective risk reduction can lower the overall risk decision. Practices should record all risk reduction efforts thoroughly.

Making the decision

After checking all four factors, the practice must determine whether there is a low probability that the PHI has been compromised. If the practice cannot show a low probability of compromise, the incident is presumed to be a breach. notice is then required.

Important: The burden of proof rests with the practice. If you choose not to notify, you must record your risk review showing that notice is not required. OCR reviews these decisions closely during reviews.

notice rules and Timelines

The 60-Day Rule

Covered groups must provide breach notice without unreasonable delay and no later than 60 calendar days after discovering the breach. This is a firm deadline, not a target.

Key timing factors:.

  • Discovery date: A breach is considered discovered on the first day it is known to the covered group, or the day it reasonably should have been known. This includes discovery by any employee, officer, or agent of the group.
  • Knowledge imputation: If an employee discovers a breach on Day 1 but does not report it until Day 15, the discovery date is still Day 1.
  • Investigation period: The 60-day clock starts at discovery, not at the end of the review. Practices may begin notices while review continues.

person notice

Every person whose unsecured PHI has been, or is reasonably believed to have been, affected must be notified. This covers access, getting, use, or sharing as a result of the breach.

person notice must include:.

  • A brief description of the breach, including the date of the breach and the date of discovery.
  • A description of the types of unsecured PHI involved (such as name, Social Security number, date of birth, diagnosis).
  • Steps the person should take to protect themselves from possible harm.
  • A description of what the covered group is doing to look into, reduce harm, and prevent further breaches.
  • Contact information for the covered group, including a toll-free number, email address, postal address, or website.

Delivery rules:.

  • Written notice sent by first-class mail to the person's last known address.
  • If the person agreed to digital notices, notice may be sent by email.
  • If contact information is missing or out of date for 10 or more people, substitute notice must be posted on the practice's website for 90 days or through major print or broadcast media.
  • For urgent cases involving possible misuse of PHI, habits may add telephone notice to written notice.

HHS notice

All breaches must be reported to the Department of Health and Human Services (HHS) through its online breach portal.

For breaches affecting 500 or more people:.

  • notice to HHS must occur at the same time as person notice, within 60 days of discovery.
  • HHS publishes these breaches on its public Breach Portal (commonly known as the "Wall of Shame").
  • OCR may start an review after notice.

For breaches affecting fewer than 500 people:.

  • Practices may keep a log of smaller breaches and submit them to HHS annually, no later than 60 days after the end of the calendar year in which the breaches were discovered.

Media notice

For breaches affecting 500 or more residents of a single state or jurisdiction, the covered group must notify prominent media outlets serving that area.

Media notice rules:.

  • Must be provided without unreasonable delay and no later than 60 days after discovery.
  • Must include the same content elements required for person notice.
  • Should be sent as press releases to major media outlets in the affected area.

Business Associate duties

Business associates that discover a breach of unsecured PHI must notify the covered group without unreasonable delay. This must happen no later than 60 days after discovery.

Business associate notice must include:.

  • finding of each person whose PHI has been or is reasonably believed to have been affected.
  • Any other available information that the covered group needs to include in its notices.

The covered group stays responsible for notifying people, HHS, and media outlets. The BAA may assign these tasks differently, but the covered group keeps ultimate clear ownership.

written records rules

What to Document

Thorough written records is essential during OCR reviews. It also helps defend against possible legal claims. Practices should keep full records of all breach-related actions.

Required written records includes:.

  • Risk review: The complete four-factor risk review, including all evidence, analysis, and the rationale for the final decision.
  • notice records: Copies of all notice letters, proof of mailing, email delivery confirmations, and evidence of substitute notice.
  • Timeline: A detailed chronology of discovery, review, risk review, notice, and fixes.
  • Investigation findings: Forensic analysis reports, root cause decision, and scope of data exposure.
  • Risk reduction actions: All steps taken to contain the breach, reduce harm, and prevent recurrence.
  • Training records: Evidence that team members involved in the response were properly trained.

Retention rules

HIPAA requires breach notice written records to be kept for a minimum of six years from the date of creation or the date when the record was last in effect, whichever is later. Practices should keep records longer if litigation is pending or reasonably expected.

Creating a Breach Log

keep a central breach log that tracks all possible and confirmed breaches. This log should include:

  • Incident date and discovery date..
  • Description of the incident.
  • Number of people affected.
  • Types of PHI involved.
  • Risk review outcome (breach vs. non-breach decision).
  • notice dates (person, HHS, media).
  • Fix actions taken.
  • Status (open, closed, tracking).

This log serves as the master record for annual HHS reporting of smaller breaches. It also gives a full view of the practice's breach history.

State Law Interaction

HIPAA sets a federal floor for breach notice. Most states have also passed their own breach notice laws with extra or different rules. Healthcare habits must comply with both HIPAA and relevant state laws.

Common areas where state laws differ from HIPAA:.

  • notice timelines: Several states require notice in as few as 30 days, much shorter than HIPAA's 60-day window.
  • Definition of personal information: State laws may protect categories beyond what HIPAA considers PHI, such as biometric data, login credentials, or student records.
  • Attorney general notice: Many states require notice to the state attorney general in addition to HHS.
  • Content rules: Some states require specific content in notice letters, credit tracking offers, or identity theft prevention services.
  • Private right of action: Some states allow people to sue directly for notice failures, creating legal risk beyond HIPAA enforcement.

Practical Compliance Approach

Given the complexity of overlapping rules, habits should:

  • Map relevant state laws for every state where affected people live, not just where the practice is located.
  • Default to the most restrictive rule when federal and state timelines, content rules, or notice recipients differ.
  • Engage legal counsel experienced in both HIPAA and state breach notice law during every breach response.
  • Build flexibility into notice templates to handle varying state rules without creating separate notices for each jurisdiction.
  • Monitor legislative changes because state breach notice laws change often and new states keep enacting or strengthening their rules.

Building Your Breach notice Program

Pre-Breach Preparation

Prepare for breach notice before a breach occurs. Practices that invest in preparation respond faster, more accurately, and with less disruption.

Essential preparation steps:.

  • Develop and keep an incident response plan that includes detailed breach notice steps. See our healthcare data breach prevention guide for full planning guidance.
  • Create notice templates pre-approved by legal counsel that can be quickly customized for specific incidents.
  • Identify notice resources including mailing vendors, call center providers, and credit tracking services that can be activated quickly.
  • set up relationships with forensic investigators, outside counsel, and public relations firms before you need them.
  • Train your team on breach finding and reporting so incidents are found and escalated promptly.
  • Conduct tabletop exercises that walk through breach notice scenarios to test timelines, decisions, and communication steps.

During a Breach

When a breach is discovered, execute your plan with care. Keep detailed written records throughout.

  1. Activate your incident response team and begin the review right away.
  2. Contain the breach to prevent further unapproved access or sharing.
  3. Preserve evidence for forensic analysis and possible legal proceedings.
  4. Conduct the four-factor risk review to determine notice duties.
  5. Engage legal counsel to guide notice decisions and rule-based interactions.
  6. Prepare notice items including person letters, HHS submission, and media statements.
  7. Deliver notices within required timelines, writing down delivery for every person.
  8. Activate support services such as call centers and credit tracking for affected people.
  9. Cooperate with regulators if OCR starts an review after notice.
  10. Conduct a post-incident review and update your program based on lessons learned.

Breach notice FAQ

Does data scrambling prevent the need for breach notice?

If PHI is encrypted using methods consistent with NIST guidance and the data scrambling key has not been compromised, the data is considered "secured" under the Breach notice Rule. Secured PHI that is lost, stolen, or improperly accessed does not trigger notice rules. This is why data scrambling is one of the most effective risk reduction measures for HIPAA rule-keeping.

What happens if an group misses the 60-day notice deadline?

Missing the deadline is itself a HIPAA breach. It can result in major penalties. OCR considers the duration of the delay, the reason for the delay, and whether the practice acted in good faith. Penalties for late notice can range from thousands to millions of dollars depending on the number of people affected.

Can an group notify people before completing its review?

Yes, and in many cases habits should begin notice before the review is complete. The 60-day clock starts at discovery, not at the end of the review. Practices may provide initial notice with available information and add details as the review continues.

Who handles notice when a business associate causes a breach?

The covered group is ultimately responsible for notifying people, HHS, and media outlets. The business associate must notify the covered group without unreasonable delay and no later than 60 days after discovery. BAAs may assign specific notice tasks differently, but the covered group keeps ultimate clear ownership.

Are there penalties for failing to conduct a risk review after a possible breach?

Yes. OCR expects habits to do and record the four-factor risk review for every not allowed use or sharing of PHI. Failing to do a risk review, or doing an inadequate one, can result in penalties independent of any underlying breach. OCR has namely cited inadequate risk reviews in multiple enforcement actions, especially when habits wrongly determined that notice was not required.

Breach notice Takeaways

The HIPAA Breach notice Rule demands preparation, precision, and speed. Practices that invest in pre-breach planning and train their team to identify and report incidents promptly are best positioned to meet their duties. Having the systems in place for rapid notice minimizes harm to affected people and to the practice itself.

Breach notice is not merely a rule-based checkbox. It shows your practice's commitment to transparency, clear ownership, and patient trust. When handled well, even a serious breach can be managed in a way that preserves credibility and satisfies rule-based rules.

One Guy Consulting provides end-to-end breach notice rule-keeping support. We help with developing incident response plans and notice templates, and we guide habits through active breach responses. Our team understands both the rule-based rules and the real-world realities of healthcare breach management. Get HIPAA compliance help to ensure your practice is prepared to meet its notice duties when it matters most.

Keep Reading

All Articles