The breach notification rule is one of HIPAA's most demanding rules. When a breach of unsecured health data occurs, covered entities and business associates must act fast. Failing to meet notification rules adds penalties, legal liability, and lasting reputational damage.
This guide covers every part of HIPAA breach notification compliance. It walks through determining whether an incident is reportable, meeting timelines, and documenting your response. It also covers how federal and state rules interact.
Understanding the Breach Notification Rule
What counts as a Breach
The HIPAA Breach Notification Rule is codified at 45 CFR Parts 164.400-414. It defines a breach as the acquisition, access, use, or sharing of PHI not allowed under the Privacy Rule. The incident must compromise the security or privacy of the PHI.
Not every security incident is a breach. The definition has key qualifications:
- The incident must involve PHI. Security events on systems without PHI do not trigger HIPAA notification rules.
- The access or sharing must violate the Privacy Rule. Authorized uses of PHI, even if they seem wrong, may not be breaches if they fall within allowed categories.
- The security or privacy of the PHI must be compromised. This requires a formal risk assessment to check whether the incident poses a meaningful risk to affected people.
Three Exceptions to the Breach Definition
The Breach Notification Rule has three narrow exceptions. In these cases, an not allowed use or sharing of PHI does not count as a breach:
Unintentional acquisition by a workforce member: Good-faith, unintentional acquisition, access, or use of PHI by a workforce member acting within their authority. The information must not be further used or disclosed in a non-allowed way.
.Inadvertent sharing between authorized persons: Inadvertent sharing by one authorized person to another authorized person at the same covered entity or business associate. The information must not be further used or disclosed in a non-allowed way.
.Good-faith belief of inability to retain: A sharing where the covered entity or business associate has a good-faith belief that the unapproved recipient could not reasonably have retained the information.
.
If none of these exceptions apply, the practice must do a risk assessment to decide if notice is needed.
The Four-Factor Risk assessment
When an not allowed use or sharing of PHI occurs and no exception applies, the covered entity must do a risk assessment. This assessment checks four specific factors to determine if the incident compromises PHI security or privacy.
Factor 1: Nature and Extent of PHI Involved
Evaluate the types and sensitivity of PHI involved in the incident.
Consider:.
- What specific data elements were exposed (names, diagnoses, Social Security numbers, financial information).
- Whether the PHI includes sensitive categories such as mental health, substance abuse, HIV/AIDS, or genetic information.
- The volume of records affected.
- Whether the PHI includes enough information to identify people directly.
More sensitive and more identifiable information raises the chance that the incident is a reportable breach.
Factor 2: The Unauthorized Person Who Used or Received the PHI
Identify who impermissibly accessed or received the PHI. Evaluate the risk tied to that person's access.
Consider:.
- Whether the recipient is a covered entity or business associate with their own rules to protect PHI.
- Whether the recipient has a professional duty of data privacy (such as a physician at another practice).
- Whether the recipient is an unknown or malicious actor.
- Whether the recipient has shown any intent to misuse the information.
sharing to another covered entity carries lower risk than exposure to unknown threat actors.
Factor 3: Whether the PHI Was Actually Acquired or Viewed
Determine whether the PHI was actually accessed, viewed, or acquired. This differs from simply being exposed to the possibility of access.
Consider:.
- Whether audit logs confirm that data was actually accessed or downloaded.
- Whether the exposure was theoretical (for example, a lost unencrypted laptop recovered with no sign of access).
- Whether forensic analysis can determine the extent of actual data access.
- The duration of the exposure period.
Evidence that PHI was not actually viewed reduces the risk. It does not eliminate it entirely.
Factor 4: Extent to Which the Risk Has Been Reduced
Evaluate the steps taken to reduce the risk of harm after the incident.
Consider:.
- Whether the PHI was recovered before it could be further disclosed.
- Whether the recipient gave assurances that the information was destroyed and not retained.
- Whether the recipient can be trusted to honor destruction assurances.
- Whether tech measures are in place to prevent further access.
Effective risk reduction can lower the overall risk decision. Practices should record all risk reduction efforts thoroughly.
Making the decision
After checking all four factors, the practice must determine whether there is a low probability that the PHI has been compromised. If the practice cannot show a low probability of compromise, the incident is presumed to be a breach. notice is then required.
Important: The burden of proof rests with the practice. If you choose not to notify, you must record your risk assessment showing that notice is not required. OCR assessments these decisions closely during assessments.
notification rules and Timelines
The 60-Day Rule
Covered entities must provide breach notification without unreasonable delay and no later than 60 calendar days after discovering the breach. This is a firm deadline, not a target.
Key timing factors:.
- Discovery date: A breach is considered discovered on the first day it is known to the covered entity, or the day it reasonably should have been known. This includes discovery by any employee, officer, or agent of the entity.
- Knowledge imputation: If an employee discovers a breach on Day 1 but does not report it until Day 15, the discovery date is still Day 1.
- Investigation period: The 60-day clock starts at discovery, not at the end of the assessment. Practices may begin notices while assessment continues.
individual notification
Every person whose unsecured PHI has been, or is reasonably believed to have been, affected must be notified. This covers access, acquisition, use, or sharing as a result of the breach.
individual notification must include:.
- A brief description of the breach, including the date of the breach and the date of discovery.
- A description of the types of unsecured PHI involved (such as name, Social Security number, date of birth, diagnosis).
- Steps the person should take to protect themselves from possible harm.
- A description of what the covered entity is doing to look into, reduce harm, and prevent further breaches.
- Contact information for the covered entity, including a toll-free number, email address, postal address, or website.
Delivery rules:.
- Written notice sent by first-class mail to the person's last known address.
- If the person agreed to digital notices, notice may be sent by email.
- If contact information is missing or out of date for 10 or more people, substitute notice must be posted on the practice's website for 90 days or through major print or broadcast media.
- For urgent cases involving possible misuse of PHI, practices may add telephone notice to written notice.
HHS Notification
All breaches must be reported to the Department of Health and Human Services (HHS) through its online breach portal.
For breaches affecting 500 or more people:.
- notice to HHS must occur at the same time as individual notification, within 60 days of discovery.
- HHS publishes these breaches on its public Breach Portal (commonly known as the "Wall of Shame").
- OCR may start an assessment after notice.
For breaches affecting fewer than 500 people:.
- Practices may keep a log of smaller breaches and submit them to HHS annually, no later than 60 days after the end of the calendar year in which the breaches were discovered.
Media Notification
For breaches affecting 500 or more residents of a single state or jurisdiction, the covered entity must notify prominent media outlets serving that area.
Media notification rules:.
- Must be provided without unreasonable delay and no later than 60 days after discovery.
- Must include the same content elements required for individual notification.
- Should be sent as press releases to major media outlets in the affected area.
Business Associate duties
Business associates that discover a breach of unsecured PHI must notify the covered entity without unreasonable delay. This must happen no later than 60 days after discovery.
Business associate notice must include:.
- finding of each person whose PHI has been or is reasonably believed to have been affected.
- Any other available information that the covered entity needs to include in its notices.
The covered entity stays responsible for notifying people, HHS, and media outlets. The BAA may assign these tasks differently, but the covered entity keeps ultimate clear ownership.
documentation rules
What to Document
Thorough documentation is essential during OCR assessments. It also helps defend against possible legal claims. Practices should keep full records of all breach-related actions.
Required documentation includes:.
- Risk assessment: The complete four-factor risk assessment, including all evidence, analysis, and the rationale for the final decision.
- notification records: Copies of all notification letters, proof of mailing, email delivery confirmations, and evidence of substitute notice.
- Timeline: A detailed chronology of discovery, assessment, risk assessment, notice, and fixes.
- Investigation findings: Forensic analysis reports, root cause decision, and scope of data exposure.
- Risk reduction actions: All steps taken to contain the breach, reduce harm, and prevent recurrence.
- Training records: Evidence that workforce members involved in the response were properly trained.
Retention rules
HIPAA requires breach notification documentation to be kept for a minimum of six years from the date of creation or the date when the record was last in effect, whichever is later. Practices should keep records longer if litigation is pending or reasonably expected.
Creating a Breach Log
keep a central breach log that tracks all possible and confirmed breaches. This log should include:
- Incident date and discovery date..
- Description of the incident.
- Number of people affected.
- Types of PHI involved.
- Risk assessment outcome (breach vs. non-breach decision).
- notice dates (person, HHS, media).
- Remediation actions taken.
- Status (open, closed, monitoring).
This log serves as the master record for annual HHS reporting of smaller breaches. It also gives a full view of the practice's breach history.
State Law Interaction
Navigating Dual rules
HIPAA sets a federal floor for breach notification. Most states have also passed their own breach notification laws with extra or different rules. Healthcare practices must comply with both HIPAA and relevant state laws.
Common areas where state laws differ from HIPAA:.
- notice timelines: Several states require notice in as few as 30 days, much shorter than HIPAA's 60-day window.
- Definition of personal information: State laws may protect categories beyond what HIPAA considers PHI, such as biometric data, login credentials, or student records.
- Attorney general notice: Many states require notice to the state attorney general in addition to HHS. See our state privacy laws vs HIPAA guide for a state-by-state breakdown.
- Content rules: Some states require specific content in notification letters, credit monitoring offers, or identity theft prevention services.
- Private right of action: Some states allow people to sue directly for notice failures, creating legal risk beyond HIPAA enforcement.
Practical Compliance Approach
Given the complexity of overlapping rules, practices should:
- Map relevant state privacy laws for every state where affected people live, not just where the practice is located.
- Default to the most restrictive rule when federal and state timelines, content rules, or notice recipients differ.
- Engage legal counsel experienced in both HIPAA and state breach notification law during every breach response.
- Build flexibility into notice templates to handle varying state rules without creating separate notices for each jurisdiction.
- Monitor legislative changes because state breach notification laws change often and new states keep enacting or strengthening their rules.
Building Your Breach Notification Program
Pre-Breach Preparation
Prepare for breach notification before a breach occurs. Practices that invest in preparation respond faster, more accurately, and with less disruption.
Essential preparation steps:.
- Develop and keep an incident response plan that includes detailed breach notification steps. See our healthcare data breach prevention guide for full planning guidance.
- Create notice templates pre-approved by legal counsel that can be quickly customized for specific incidents.
- Identify notice resources including mailing vendors, call center providers, and credit monitoring services that can be activated quickly.
- set up relationships with forensic investigators, outside counsel, and public relations firms before you need them.
- Train your team on breach finding and reporting so incidents are found and escalated promptly.
- Conduct tabletop exercises that walk through breach notification scenarios to test timelines, decisions, and communication steps.
During a Breach
When a breach is discovered, execute your plan with care. Keep detailed documentation throughout.
- Activate your incident response team and begin the assessment right away.
- Contain the breach to prevent further unapproved access or sharing.
- Preserve evidence for forensic analysis and possible legal proceedings.
- Conduct the four-factor risk assessment to determine notification duties.
- Engage legal counsel to guide notice decisions and regulatory interactions.
- Prepare notice items including person letters, HHS submission, and media statements.
- Deliver notices within required timelines, documenting delivery for every person.
- Activate support services such as call centers and credit monitoring for affected people.
- Cooperate with regulators if OCR starts an assessment after notice.
- Conduct a post-incident assessment and update your program based on lessons learned.
Breach Notification FAQ
How quickly must covered entities notify HHS under the proposed 2025 rule?
Under the current Breach Notification Rule, HHS notification for large breaches (500 or more individuals) must occur within 60 calendar days of discovery. A 2024 NPRM proposes shortening this to 72 hours for HHS notification only. The 72-hour rule has not been finalized as of June 2026. Individual and media notification deadlines remain at 60 days under the proposal. Organizations should begin building 72-hour-capable response workflows now, before the rule is finalized.
Does a ransomware attack automatically require HIPAA breach notification?
Not automatically, but HHS guidance strongly presumes it does. When ransomware encrypts ePHI, HHS considers the PHI to have been acquired by an unauthorized party unless the covered entity can demonstrate through the four-factor Breach Risk Assessment that there is a low probability of compromise. That demonstration is difficult in most ransomware scenarios. The practical standard: assume a ransomware attack involving ePHI is a reportable breach unless forensic evidence proves otherwise, and begin your 60-day clock from the date of discovery.
What happens if a covered entity misses the 60-day notification deadline?
Missing the 60-day deadline is itself a HIPAA violation, separate from the underlying breach. OCR treats the duration of the delay, the reason for it, and whether the organization acted in good faith as aggravating or mitigating factors. Penalties for late notification range from $100 per violation (Tier 1 — lack of awareness) to more than $2 million per violation category per year (Tier 4 — willful neglect, uncorrected). Late notification for a large breach affecting thousands of individuals can result in multimillion-dollar settlements. The only safe approach is to build notification workflows that consistently meet or beat the 60-day window. For more on HIPAA enforcement, see our common HIPAA violations and prevention guide.
Who is responsible for breach notification when a business associate causes the breach?
The covered entity bears ultimate responsibility for all required notifications to individuals, HHS, and media outlets—even when a business associate caused the breach. The business associate must notify the covered entity without unreasonable delay and no later than 60 days after discovering the breach. The Business Associate Agreement may assign specific tasks to the BA, but it cannot transfer the covered entity’s legal obligation to notify. Both the covered entity and the business associate may face separate OCR enforcement actions arising from the same breach.
How do I submit a breach to the HHS Breach Portal, and what is the Wall of Shame?
All HIPAA breaches must be reported to HHS through the Breach Reporting Portal at hhs.gov/hipaa. For breaches affecting 500 or more individuals, submission is required within 60 days of discovery (72 hours under the proposed rule). HHS publishes all large-breach submissions on a publicly searchable database informally called the “Wall of Shame”—its official name is the Breach Reporting Portal. The listing includes the organization name, state, type of breach, number of individuals affected, and the type of PHI involved. For breaches affecting fewer than 500 individuals, covered entities maintain an internal breach log and submit it annually by March 1 for breaches discovered in the prior calendar year.
The 2025 Proposed 72-Hour Notification Rule
On December 27, 2024, HHS published a Notice of Proposed Rulemaking (NPRM) in the Federal Register that would significantly shorten the breach notification window for large breaches. The proposed rule targets covered entities that experience breaches affecting 500 or more individuals.
What the Proposed Rule Would Change
Under the current Breach Notification Rule, all notifications—individual, HHS, and media—must be delivered without unreasonable delay and no later than 60 calendar days after discovery. The 2025 NPRM proposes:
- 72-hour deadline for HHS notification when a breach affects 500 or more individuals in any state or jurisdiction. This aligns HIPAA with breach notification standards in other regulated industries, including financial services under the FTC Safeguards Rule.
- Individual and media notification deadlines unchanged at 60 days under the proposal, though HHS sought comment on whether those timelines should also be shortened.
- Expanded breach portal reporting fields requiring more granular incident categorization at the time of HHS submission.
Current Status and Expected Effective Date
As of June 2026, the 72-hour rule remains a proposal—it has not been finalized. The comment period closed in March 2025. HHS received more than 1,400 public comments, with widespread concern from smaller covered entities about operational feasibility within 72 hours of breach discovery. A final rule is expected in late 2026 or 2027.
What to do now: Organizations should begin building the internal workflows that a 72-hour HHS reporting window would require. That means designating a breach response lead, pre-positioning forensic resources, and drafting templated HHS portal submissions that can be completed quickly. Waiting until the rule is finalized before preparing creates unacceptable operational risk. Our healthcare data breach prevention guide walks through the incident response infrastructure your organization needs.
HIPAA Breach Response Timeline at a Glance
The table below maps the required actions and deadlines from the moment a breach is discovered. Use it as a reference during incident response to ensure no deadline is missed. Note the separate column showing what the proposed 72-hour rule would change.
| Day / Window | Required Action | Current Rule | Proposed Rule (Not Yet Final) |
|---|---|---|---|
| Day 0 (Discovery) | Activate incident response team; begin containment | Immediate | No change |
| Day 0–3 | Preserve evidence; begin four-factor Breach Risk Assessment (BRA) | As soon as possible | No change |
| Day 1–10 | Engage forensic investigators; determine scope of PHI exposure | No specific deadline | No change |
| Day 3 (500+ affected) | Submit notification to HHS Breach Portal | No requirement at Day 3 | Proposed: within 72 hours of discovery |
| Day 10–30 | Finalize BRA; prepare individual notification letters; identify media outlets if applicable | As soon as practicable | No change |
| Within 60 days | Send individual notification by first-class mail (or email if consented) | Required deadline | No change |
| Within 60 days (500+ in a state) | Notify prominent media outlets in affected state(s) | Required deadline | No change |
| Within 60 days (500+) | Submit to HHS Breach Portal (if not already filed under proposed rule) | Required deadline | Moved to 72 hours (proposed) |
| March 1 (following year) | Submit annual log of small breaches (<500) to HHS Breach Portal | Required annual deadline | No change |
| 6 years from creation | Retain all breach documentation (risk assessments, notices, logs) | Required retention period | No change |
State Breach Notification Laws Stricter Than HIPAA
HIPAA establishes a federal floor for breach notification—it does not preempt state laws that provide greater patient protections. Healthcare organizations must comply with both HIPAA and any applicable state law. When a state deadline is shorter than HIPAA’s 60-day window, the state deadline governs. See our state privacy laws vs. HIPAA guide for a comprehensive state-by-state comparison.
The following states have breach notification requirements that are materially stricter than HIPAA for healthcare organizations:
| State | Governing Law | Individual Notification Deadline | AG / Regulator Notice Required? | Key Differences from HIPAA |
|---|---|---|---|---|
| Texas | Texas Business & Commerce Code §521 / HB 4181 (2023) | 30 days after discovery | Yes — Attorney General if 250+ affected | Half of HIPAA’s 60-day window; AG notice adds a parallel reporting obligation |
| Florida | Florida Information Protection Act (FIPA) | 30 days after discovery | Yes — FDACS if 500+ affected | 30-day cap; broader definition of personal information than HIPAA PHI |
| Illinois | Personal Information Protection Act (PIPA) / 815 ILCS 530 | 45 days after discovery (individuals); 5 business days after HHS if HHS notified first | Yes — Attorney General if 500+ affected | Shorter for individuals; the 5-business-day trigger from HHS notice can create a compressed window |
| New York | SHIELD Act / NY General Business Law §899-aa | “In the most expedient time possible”; 5 business days after notifying HHS | Yes — AG, DFS, and relevant state agencies | Multiple agency notifications required; “expedient” standard more demanding than HIPAA’s 60-day ceiling |
| California | Confidentiality of Medical Information Act (CMIA) / Cal. Civ. Code §56.06 | 15 business days after discovery (healthcare-specific) | Yes — AG if 500+ California residents | 15-business-day window is substantially shorter than HIPAA; applies to covered entities operating in California regardless of where affected individuals reside |
Practical implication: If a breach affects patients in Texas, Florida, or California, your effective notification deadline is 30 days or fewer—not 60 days. Build your breach response program around the most restrictive applicable state deadline, not the HIPAA ceiling. Engage legal counsel experienced in multi-state breach notification before an incident occurs.
Sample Breach Notification Letter Language
The following is sample language that satisfies the content requirements of 45 CFR 164.404(c). It is a starting template only—your legal counsel must review and customize it for every specific breach before sending. State law requirements may add or modify required elements.
[Date]
[Patient Name]
[Address]
[City, State, ZIP]
Dear [Patient Name],
We are writing to inform you of a security incident that may have involved your protected health information (PHI). [Practice Name] takes the privacy and security of your health information seriously, and we want to provide you with complete information about what happened and the steps we are taking.
What Happened: On or about [date of breach], we discovered that [brief description of the incident, e.g., “an unauthorized individual gained access to our electronic health record system”]. We discovered this incident on [date of discovery] and immediately began an investigation.
What Information Was Involved: Based on our investigation, the following types of your information may have been involved: [list applicable: name; date of birth; address; Social Security number; medical record number; health plan beneficiary number; diagnosis or treatment information; financial account information; other PHI]. We have no evidence at this time that your information has been misused.
What We Are Doing: We have [describe containment and remediation steps, e.g., “secured the affected systems, engaged a cybersecurity firm to conduct a forensic investigation, and implemented additional access controls”]. We have also reported this incident to the U.S. Department of Health and Human Services as required by law.
What You Can Do: We recommend that you [describe protective steps, e.g., “review your Explanation of Benefits statements from your health plan for any services you did not receive, place a fraud alert with the major credit bureaus, and monitor your financial accounts”]. [If offering credit monitoring: We are offering [X] months of complimentary credit monitoring services. Please call [toll-free number] to enroll.]
For More Information: If you have questions, please contact our Privacy Officer at [toll-free telephone number], [email address], or [postal address]. Our Privacy Officer is available [hours/days].
We deeply regret that this incident occurred. We are committed to protecting your information and preventing future incidents of this nature.
Sincerely,
[Name]
[Title]
[Practice Name]
Note on substitute notice: If contact information is missing or out of date for 10 or more affected individuals, 45 CFR 164.404(d) requires substitute notice via prominent posting on the covered entity’s website for 90 days, or through major print or broadcast media serving the geographic area. The substitute notice must include a toll-free number active for at least 90 days.
The 2025 Proposed 72-Hour Notification Rule
On December 27, 2024, HHS published a Notice of Proposed Rulemaking (NPRM) in the Federal Register that would significantly shorten the breach notification window for large breaches. The proposed rule targets covered entities that experience breaches affecting 500 or more individuals.
What the Proposed Rule Would Change
Under the current Breach Notification Rule, all notifications—individual, HHS, and media—must be delivered without unreasonable delay and no later than 60 calendar days after discovery. The 2025 NPRM proposes:
- 72-hour deadline for HHS notification when a breach affects 500 or more individuals in any state or jurisdiction. This aligns HIPAA with breach notification standards in other regulated industries, including financial services under the FTC Safeguards Rule.
- Individual and media notification deadlines unchanged at 60 days under the proposal, though HHS sought comment on whether those timelines should also be shortened.
- Expanded breach portal reporting fields requiring more granular incident categorization at the time of HHS submission.
Current Status and Expected Effective Date
As of June 2026, the 72-hour rule remains a proposal—it has not been finalized. The comment period closed in March 2025. HHS received more than 1,400 public comments, with widespread concern from smaller covered entities about operational feasibility within 72 hours of breach discovery. A final rule is expected in late 2026 or 2027.
What to do now: Organizations should begin building the internal workflows that a 72-hour HHS reporting window would require. That means designating a breach response lead, pre-positioning forensic resources, and drafting templated HHS portal submissions that can be completed quickly. Waiting until the rule is finalized before preparing creates unacceptable operational risk. Our healthcare data breach prevention guide walks through the incident response infrastructure your organization needs.
HIPAA Breach Response Timeline at a Glance
The table below maps the required actions and deadlines from the moment a breach is discovered. Use it as a reference during incident response to ensure no deadline is missed. Note the separate column showing what the proposed 72-hour rule would change.
| Day / Window | Required Action | Current Rule | Proposed Rule (Not Yet Final) |
|---|---|---|---|
| Day 0 (Discovery) | Activate incident response team; begin containment | Immediate | No change |
| Day 0–3 | Preserve evidence; begin four-factor Breach Risk Assessment (BRA) | As soon as possible | No change |
| Day 1–10 | Engage forensic investigators; determine scope of PHI exposure | No specific deadline | No change |
| Day 3 (500+ affected) | Submit notification to HHS Breach Portal | No requirement at Day 3 | Proposed: within 72 hours of discovery |
| Day 10–30 | Finalize BRA; prepare individual notification letters; identify media outlets if applicable | As soon as practicable | No change |
| Within 60 days | Send individual notification by first-class mail (or email if consented) | Required deadline | No change |
| Within 60 days (500+ in a state) | Notify prominent media outlets in affected state(s) | Required deadline | No change |
| Within 60 days (500+) | Submit to HHS Breach Portal (if not already filed under proposed rule) | Required deadline | Moved to 72 hours (proposed) |
| March 1 (following year) | Submit annual log of small breaches (<500) to HHS Breach Portal | Required annual deadline | No change |
| 6 years from creation | Retain all breach documentation (risk assessments, notices, logs) | Required retention period | No change |
State Breach Notification Laws Stricter Than HIPAA
HIPAA establishes a federal floor for breach notification—it does not preempt state laws that provide greater patient protections. Healthcare organizations must comply with both HIPAA and any applicable state law. When a state deadline is shorter than HIPAA’s 60-day window, the state deadline governs. See our state privacy laws vs. HIPAA guide for a comprehensive state-by-state comparison.
The following states have breach notification requirements that are materially stricter than HIPAA for healthcare organizations:
| State | Governing Law | Individual Notification Deadline | AG / Regulator Notice Required? | Key Differences from HIPAA |
|---|---|---|---|---|
| Texas | Texas Business & Commerce Code §521 / HB 4181 (2023) | 30 days after discovery | Yes — Attorney General if 250+ affected | Half of HIPAA’s 60-day window; AG notice adds a parallel reporting obligation |
| Florida | Florida Information Protection Act (FIPA) | 30 days after discovery | Yes — FDACS if 500+ affected | 30-day cap; broader definition of personal information than HIPAA PHI |
| Illinois | Personal Information Protection Act (PIPA) / 815 ILCS 530 | 45 days after discovery (individuals); 5 business days after HHS if HHS notified first | Yes — Attorney General if 500+ affected | Shorter for individuals; the 5-business-day trigger from HHS notice can create a compressed window |
| New York | SHIELD Act / NY General Business Law §899-aa | “In the most expedient time possible”; 5 business days after notifying HHS | Yes — AG, DFS, and relevant state agencies | Multiple agency notifications required; “expedient” standard more demanding than HIPAA’s 60-day ceiling |
| California | Confidentiality of Medical Information Act (CMIA) / Cal. Civ. Code §56.06 | 15 business days after discovery (healthcare-specific) | Yes — AG if 500+ California residents | 15-business-day window is substantially shorter than HIPAA; applies to covered entities operating in California regardless of where affected individuals reside |
Practical implication: If a breach affects patients in Texas, Florida, or California, your effective notification deadline is 30 days or fewer—not 60 days. Build your breach response program around the most restrictive applicable state deadline, not the HIPAA ceiling. Engage legal counsel experienced in multi-state breach notification before an incident occurs.
Sample Breach Notification Letter Language
The following is sample language that satisfies the content requirements of 45 CFR 164.404(c). It is a starting template only—your legal counsel must review and customize it for every specific breach before sending. State law requirements may add or modify required elements.
[Date]
[Patient Name]
[Address]
[City, State, ZIP]
Dear [Patient Name],
We are writing to inform you of a security incident that may have involved your protected health information (PHI). [Practice Name] takes the privacy and security of your health information seriously, and we want to provide you with complete information about what happened and the steps we are taking.
What Happened: On or about [date of breach], we discovered that [brief description of the incident, e.g., “an unauthorized individual gained access to our electronic health record system”]. We discovered this incident on [date of discovery] and immediately began an investigation.
What Information Was Involved: Based on our investigation, the following types of your information may have been involved: [list applicable: name; date of birth; address; Social Security number; medical record number; health plan beneficiary number; diagnosis or treatment information; financial account information; other PHI]. We have no evidence at this time that your information has been misused.
What We Are Doing: We have [describe containment and remediation steps, e.g., “secured the affected systems, engaged a cybersecurity firm to conduct a forensic investigation, and implemented additional access controls”]. We have also reported this incident to the U.S. Department of Health and Human Services as required by law.
What You Can Do: We recommend that you [describe protective steps, e.g., “review your Explanation of Benefits statements from your health plan for any services you did not receive, place a fraud alert with the major credit bureaus, and monitor your financial accounts”]. [If offering credit monitoring: We are offering [X] months of complimentary credit monitoring services. Please call [toll-free number] to enroll.]
For More Information: If you have questions, please contact our Privacy Officer at [toll-free telephone number], [email address], or [postal address]. Our Privacy Officer is available [hours/days].
We deeply regret that this incident occurred. We are committed to protecting your information and preventing future incidents of this nature.
Sincerely,
[Name]
[Title]
[Practice Name]
Note on substitute notice: If contact information is missing or out of date for 10 or more affected individuals, 45 CFR 164.404(d) requires substitute notice via prominent posting on the covered entity’s website for 90 days, or through major print or broadcast media serving the geographic area. The substitute notice must include a toll-free number active for at least 90 days.
Breach Notification Takeaways
The HIPAA Breach Notification Rule demands preparation, precision, and speed. Practices that invest in pre-breach planning and train their team to identify and report incidents promptly are best positioned to meet their duties. Having the systems in place for rapid notice minimizes harm to affected people and to the practice itself.
Breach Notification is not merely a regulatory checkbox. It shows your practice's commitment to transparency, clear ownership, and patient trust. When handled well, even a serious breach can be managed in a way that preserves credibility and satisfies regulatory rules.
One Guy Consulting provides end-to-end breach notification compliance support. We help with developing incident response plans and notice templates, and we guide practices through active breach responses. Our team understands both the regulatory rules and the real-world realities of healthcare breach management. Get HIPAA compliance help to ensure your practice is prepared to meet its notification duties when it matters most.