HIPAA Compliance Guide to the Breach Notification Rule

The breach notification rule is one of HIPAA's most demanding rules. When a breach of unsecured health data occurs, covered entities and business associates must act fast. Failing to meet notification rules adds penalties, legal liability, and lasting reputational damage.

This guide covers every part of HIPAA breach notification compliance. It walks through determining whether an incident is reportable, meeting timelines, and documenting your response. It also covers how federal and state rules interact.

Understanding the Breach Notification Rule

What counts as a Breach

The HIPAA Breach Notification Rule is codified at 45 CFR Parts 164.400-414. It defines a breach as the acquisition, access, use, or sharing of PHI not allowed under the Privacy Rule. The incident must compromise the security or privacy of the PHI.

Not every security incident is a breach. The definition has key qualifications:

• The incident must involve PHI. Security events on systems without PHI do not trigger HIPAA notification rules.
• The access or sharing must violate the Privacy Rule. Authorized uses of PHI, even if they seem wrong, may not be breaches if they fall within allowed categories.
• The security or privacy of the PHI must be compromised. This requires a formal risk assessment to check whether the incident poses a meaningful risk to affected people.

Three Exceptions to the Breach Definition

The Breach Notification Rule has three narrow exceptions. In these cases, an not allowed use or sharing of PHI does not count as a breach:

1. Unintentional acquisition by a workforce member: Good-faith, unintentional acquisition, access, or use of PHI by a workforce member acting within their authority. The information must not be further used or disclosed in a non-allowed way.

   .

2. Inadvertent sharing between authorized persons: Inadvertent sharing by one authorized person to another authorized person at the same covered entity or business associate. The information must not be further used or disclosed in a non-allowed way.

   .

3. Good-faith belief of inability to retain: A sharing where the covered entity or business associate has a good-faith belief that the unapproved recipient could not reasonably have retained the information.

   .

If none of these exceptions apply, the practice must do a risk assessment to decide if notice is needed.

The Four-Factor Risk assessment

When an not allowed use or sharing of PHI occurs and no exception applies, the covered entity must do a risk assessment. This assessment checks four specific factors to determine if the incident compromises PHI security or privacy.

Factor 1: Nature and Extent of PHI Involved

Evaluate the types and sensitivity of PHI involved in the incident.

Consider:.

• What specific data elements were exposed (names, diagnoses, Social Security numbers, financial information).
• Whether the PHI includes sensitive categories such as mental health, substance abuse, HIV/AIDS, or genetic information.
• The volume of records affected.
• Whether the PHI includes enough information to identify people directly.

More sensitive and more identifiable information raises the chance that the incident is a reportable breach.

Factor 2: The Unauthorized Person Who Used or Received the PHI

Identify who impermissibly accessed or received the PHI. Evaluate the risk tied to that person's access.

Consider:.

• Whether the recipient is a covered entity or business associate with their own rules to protect PHI.
• Whether the recipient has a professional duty of data privacy (such as a physician at another practice).
• Whether the recipient is an unknown or malicious actor.
• Whether the recipient has shown any intent to misuse the information.

sharing to another covered entity carries lower risk than exposure to unknown threat actors.

Factor 3: Whether the PHI Was Actually Acquired or Viewed

Determine whether the PHI was actually accessed, viewed, or acquired. This differs from simply being exposed to the possibility of access.

Consider:.

• Whether audit logs confirm that data was actually accessed or downloaded.
• Whether the exposure was theoretical (for example, a lost unencrypted laptop recovered with no sign of access).
• Whether forensic analysis can determine the extent of actual data access.
• The duration of the exposure period.

Evidence that PHI was not actually viewed reduces the risk. It does not eliminate it entirely.

Factor 4: Extent to Which the Risk Has Been Reduced

Evaluate the steps taken to reduce the risk of harm after the incident.

Consider:.

• Whether the PHI was recovered before it could be further disclosed.
• Whether the recipient gave assurances that the information was destroyed and not retained.
• Whether the recipient can be trusted to honor destruction assurances.
• Whether tech measures are in place to prevent further access.

Effective risk reduction can lower the overall risk decision. Practices should record all risk reduction efforts thoroughly.

Making the decision

After checking all four factors, the practice must determine whether there is a low probability that the PHI has been compromised. If the practice cannot show a low probability of compromise, the incident is presumed to be a breach. notice is then required.

Important: The burden of proof rests with the practice. If you choose not to notify, you must record your risk assessment showing that notice is not required. OCR assessments these decisions closely during assessments.

notification rules and Timelines

The 60-Day Rule

Covered entities must provide breach notification without unreasonable delay and no later than 60 calendar days after discovering the breach. This is a firm deadline, not a target.

Key timing factors:.

• Discovery date: A breach is considered discovered on the first day it is known to the covered entity, or the day it reasonably should have been known. This includes discovery by any employee, officer, or agent of the entity.
• Knowledge imputation: If an employee discovers a breach on Day 1 but does not report it until Day 15, the discovery date is still Day 1.
• Investigation period: The 60-day clock starts at discovery, not at the end of the assessment. Practices may begin notices while assessment continues.

individual notification

Every person whose unsecured PHI has been, or is reasonably believed to have been, affected must be notified. This covers access, acquisition, use, or sharing as a result of the breach.

individual notification must include:.

• A brief description of the breach, including the date of the breach and the date of discovery.
• A description of the types of unsecured PHI involved (such as name, Social Security number, date of birth, diagnosis).
• Steps the person should take to protect themselves from possible harm.
• A description of what the covered entity is doing to look into, reduce harm, and prevent further breaches.
• Contact information for the covered entity, including a toll-free number, email address, postal address, or website.

Delivery rules:.

• Written notice sent by first-class mail to the person's last known address.
• If the person agreed to digital notices, notice may be sent by email.
• If contact information is missing or out of date for 10 or more people, substitute notice must be posted on the practice's website for 90 days or through major print or broadcast media.
• For urgent cases involving possible misuse of PHI, practices may add telephone notice to written notice.

HHS Notification

All breaches must be reported to the Department of Health and Human Services (HHS) through its online breach portal.

For breaches affecting 500 or more people:.

• notice to HHS must occur at the same time as individual notification, within 60 days of discovery.
• HHS publishes these breaches on its public Breach Portal (commonly known as the "Wall of Shame").
• OCR may start an assessment after notice.

For breaches affecting fewer than 500 people:.

• Practices may keep a log of smaller breaches and submit them to HHS annually, no later than 60 days after the end of the calendar year in which the breaches were discovered.

Media Notification

For breaches affecting 500 or more residents of a single state or jurisdiction, the covered entity must notify prominent media outlets serving that area.

Media notification rules:.

• Must be provided without unreasonable delay and no later than 60 days after discovery.
• Must include the same content elements required for individual notification.
• Should be sent as press releases to major media outlets in the affected area.

Business Associate duties

Business associates that discover a breach of unsecured PHI must notify the covered entity without unreasonable delay. This must happen no later than 60 days after discovery.

Business associate notice must include:.

• finding of each person whose PHI has been or is reasonably believed to have been affected.
• Any other available information that the covered entity needs to include in its notices.

The covered entity stays responsible for notifying people, HHS, and media outlets. The BAA may assign these tasks differently, but the covered entity keeps ultimate clear ownership.

documentation rules

What to Document

Thorough documentation is essential during OCR assessments. It also helps defend against possible legal claims. Practices should keep full records of all breach-related actions.

Required documentation includes:.

• Risk assessment: The complete four-factor risk assessment, including all evidence, analysis, and the rationale for the final decision.
• notification records: Copies of all notification letters, proof of mailing, email delivery confirmations, and evidence of substitute notice.
• Timeline: A detailed chronology of discovery, assessment, risk assessment, notice, and fixes.
• Investigation findings: Forensic analysis reports, root cause decision, and scope of data exposure.
• Risk reduction actions: All steps taken to contain the breach, reduce harm, and prevent recurrence.
• Training records: Evidence that workforce members involved in the response were properly trained.

Retention rules

HIPAA requires breach notification documentation to be kept for a minimum of six years from the date of creation or the date when the record was last in effect, whichever is later. Practices should keep records longer if litigation is pending or reasonably expected.

Creating a Breach Log

keep a central breach log that tracks all possible and confirmed breaches. This log should include:

• Incident date and discovery date..
• Description of the incident.
• Number of people affected.
• Types of PHI involved.
• Risk assessment outcome (breach vs. non-breach decision).
• notice dates (person, HHS, media).
• Remediation actions taken.
• Status (open, closed, monitoring).

This log serves as the master record for annual HHS reporting of smaller breaches. It also gives a full view of the practice's breach history.

State Law Interaction

Navigating Dual rules

HIPAA sets a federal floor for breach notification. Most states have also passed their own breach notification laws with extra or different rules. Healthcare practices must comply with both HIPAA and relevant state laws.

Common areas where state laws differ from HIPAA:.

• notice timelines: Several states require notice in as few as 30 days, much shorter than HIPAA's 60-day window.
• Definition of personal information: State laws may protect categories beyond what HIPAA considers PHI, such as biometric data, login credentials, or student records.
• Attorney general notice: Many states require notice to the state attorney general in addition to HHS.
• Content rules: Some states require specific content in notification letters, credit monitoring offers, or identity theft prevention services.
• Private right of action: Some states allow people to sue directly for notice failures, creating legal risk beyond HIPAA enforcement.

Practical Compliance Approach

Given the complexity of overlapping rules, practices should:

• Map relevant state laws for every state where affected people live, not just where the practice is located.
• Default to the most restrictive rule when federal and state timelines, content rules, or notice recipients differ.
• Engage legal counsel experienced in both HIPAA and state breach notification law during every breach response.
• Build flexibility into notice templates to handle varying state rules without creating separate notices for each jurisdiction.
• Monitor legislative changes because state breach notification laws change often and new states keep enacting or strengthening their rules.

Building Your Breach Notification Program

Pre-Breach Preparation

Prepare for breach notification before a breach occurs. Practices that invest in preparation respond faster, more accurately, and with less disruption.

Essential preparation steps:.

• Develop and keep an incident response plan that includes detailed breach notification steps. See our healthcare data breach prevention guide for full planning guidance.
• Create notice templates pre-approved by legal counsel that can be quickly customized for specific incidents.
• Identify notice resources including mailing vendors, call center providers, and credit monitoring services that can be activated quickly.
• set up relationships with forensic investigators, outside counsel, and public relations firms before you need them.
• Train your team on breach finding and reporting so incidents are found and escalated promptly.
• Conduct tabletop exercises that walk through breach notification scenarios to test timelines, decisions, and communication steps.

During a Breach

When a breach is discovered, execute your plan with care. Keep detailed documentation throughout.

1. Activate your incident response team and begin the assessment right away.
2. Contain the breach to prevent further unapproved access or sharing.
3. Preserve evidence for forensic analysis and possible legal proceedings.
4. Conduct the four-factor risk assessment to determine notification duties.
5. Engage legal counsel to guide notice decisions and regulatory interactions.
6. Prepare notice items including person letters, HHS submission, and media statements.
7. Deliver notices within required timelines, documenting delivery for every person.
8. Activate support services such as call centers and credit monitoring for affected people.
9. Cooperate with regulators if OCR starts an assessment after notice.
10. Conduct a post-incident assessment and update your program based on lessons learned.

Breach Notification FAQ

Does encryption prevent the need for breach notification?

If PHI is encrypted using methods consistent with NIST guidance and the encryption key has not been compromised, the data is considered "secured" under the Breach Notification Rule. Secured PHI that is lost, stolen, or improperly accessed does not trigger notification rules. This is why encryption is one of the most effective risk reduction measures for HIPAA compliance.

What happens if an entity misses the 60-day notification deadline?

Missing the deadline is itself a HIPAA breach. It can result in major penalties. OCR considers the duration of the delay, the reason for the delay, and whether the practice acted in good faith. Penalties for late notice can range from thousands to millions of dollars depending on the number of people affected.

Can an entity notify people before completing its assessment?

Yes, and in many cases practices should begin notice before the assessment is complete. The 60-day clock starts at discovery, not at the end of the assessment. Practices may provide initial notice with available information and add details as the assessment continues.

Who handles notice when a business associate causes a breach?

The covered entity is ultimately responsible for notifying people, HHS, and media outlets. The business associate must notify the covered entity without unreasonable delay and no later than 60 days after discovery. BAAs may assign specific notice tasks differently, but the covered entity keeps ultimate clear ownership.

Are there penalties for failing to conduct a risk assessment after a possible breach?

Yes. OCR expects practices to do and record the four-factor risk assessment for every not allowed use or sharing of PHI. Failing to do a risk assessment, or doing an inadequate one, can result in penalties independent of any underlying breach. OCR has namely cited inadequate risk assessments in multiple enforcement actions, especially when practices wrongly determined that notice was not required.

Breach Notification Takeaways

The HIPAA Breach Notification Rule demands preparation, precision, and speed. Practices that invest in pre-breach planning and train their team to identify and report incidents promptly are best positioned to meet their duties. Having the systems in place for rapid notice minimizes harm to affected people and to the practice itself.

Breach Notification is not merely a regulatory checkbox. It shows your practice's commitment to transparency, clear ownership, and patient trust. When handled well, even a serious breach can be managed in a way that preserves credibility and satisfies regulatory rules.

One Guy Consulting provides end-to-end breach notification compliance support. We help with developing incident response plans and notice templates, and we guide practices through active breach responses. Our team understands both the regulatory rules and the real-world realities of healthcare breach management. Get HIPAA compliance help to ensure your practice is prepared to meet its notification duties when it matters most.