HIPAA Breach Notification Procedures Under the Breach Notification Rule
Last reviewed · By Chad Griffith
The HIPAA Breach Notification Rule at 45 CFR 164.400-414 requires covered entities to notify affected individuals, the HHS Secretary, and in some cases the media when a breach of unsecured Protected Health Information (PHI) occurs. The rule defines a 'breach' as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI. A four-factor risk assessment determines whether an incident rises to the level of a 'breach' requiring notification or whether it can be documented as a non-breach event. The procedural detail of notification — content, timing, methods, recipients — is heavily prescribed by the rule.
What Constitutes a Breach
Per 45 CFR 164.402, a 'breach' is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the Privacy Rule. Three exceptions exist: (1) unintentional acquisition by a workforce member acting under authority of the entity if made in good faith and within scope of employment; (2) inadvertent disclosure by a person authorized to access PHI to another authorized person at the same entity or business associate; (3) disclosure where the entity has a good-faith belief the recipient could not reasonably retain the PHI.
Outside these exceptions, an impermissible use or disclosure is presumed to be a breach unless the entity demonstrates that there is a low probability that the PHI has been compromised based on a four-factor risk assessment: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; (4) the extent to which the risk to the PHI has been mitigated.
60-Day Individual Notification Deadline
Per 45 CFR 164.404, covered entities must notify each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. 'Discovery' means the first day the breach is known, or by exercising reasonable diligence would have been known, to the entity. The 60-day clock starts at discovery, not at incident occurrence. Late notification is itself a HIPAA violation separate from the underlying breach.
Notification content must include: a brief description of what happened, including the date of the breach and the date of discovery (if known); a description of the types of unsecured PHI involved (e.g., name, social security number, diagnosis); steps individuals should take to protect themselves from potential harm; what the entity is doing to investigate, mitigate harm, and protect against further breaches; and contact procedures for individuals to ask questions or learn additional information.
Notification methods: written notice by first-class mail to the last known address; electronic notice if the individual has agreed to electronic notice; substitute notice (web posting plus toll-free number plus media notice for affected populations of 10+ in a state) if contact information is insufficient; urgent notice (telephone or other means) if there is the possibility of imminent misuse of the PHI, in addition to the standard written notice.
Media Notification for 500+ Individuals
Per 45 CFR 164.406, breaches affecting 500 or more individuals in a state or jurisdiction require notification to prominent media outlets serving that state or jurisdiction. Media notification must occur within the same 60-day deadline as individual notification. Format is typically a press release. The media notification requirement is in addition to (not a substitute for) individual notification.
Multi-state breaches (affecting 500+ individuals total but fewer than 500 in any single state) do not trigger state-level media notification under 164.406, but still trigger HHS Secretary notification within 60 days. Media notification has been used by OCR as one indicator of breach response adequacy — premature media disclosure (before individual notification is complete) can complicate response and create additional reputational impact.
HHS Secretary Notification
Per 45 CFR 164.408, breaches affecting 500 or more individuals must be reported to the HHS Secretary contemporaneously with individual notification — no later than 60 days from discovery. Reports are submitted through the HHS Breach Reporting Tool at https://ocrportal.hhs.gov/ocr/breach. Breaches affecting fewer than 500 individuals are reported annually to HHS, no later than 60 days after the end of the calendar year in which the breaches occurred.
The HHS Breach Portal is publicly accessible — the 'Wall of Shame' — listing all reported breaches affecting 500+ individuals with entity name, breach date, breach location, type of breach, and number of individuals affected. The public listing creates significant reputational pressure for accurate and timely reporting. Failure to report or under-reporting has been the basis of additional civil money penalties.
Business Associate Breach Reporting
Per 45 CFR 164.410, business associates must report breaches to the covered entity without unreasonable delay and no later than 60 days from discovery. The covered entity remains the entity responsible for individual, media, and HHS notification — the 60-day clocks under 164.404, 164.406, and 164.408 all start at the covered entity's discovery, which may be the date the BA notified them rather than the date the BA discovered the breach.
Business Associate Agreements (BAAs) typically include negotiated language about breach notification timelines (often shorter than the regulatory 60-day BA-to-CE deadline) and procedures (specific contact persons, content of notification, evidence to be provided). Failure to maintain a BAA at all is a separate HIPAA violation independent of any breach.
Documentation and Burden of Proof
Per 45 CFR 164.414, covered entities and business associates have the burden of demonstrating that all required notifications were made or that, after performing a four-factor risk assessment, the use or disclosure did not constitute a breach. Documentation requirements: written records of breach risk assessments for incidents that did not rise to the level of breach, retained for 6 years per 164.530(j); copies of all notifications sent, retained 6 years; documentation of the source and timing of breach discovery; investigation records and remediation actions taken.
OCR investigations frequently begin with requests for breach risk assessment records for specific incidents. Inability to produce documentation of either (a) the assessment that determined an incident was not a breach or (b) the notifications sent for incidents that were breaches is itself a Privacy Rule violation under 164.530.
Frequently Asked Questions
When does the 60-day breach notification clock start?
At discovery of the breach. 'Discovery' is the first day the breach is known, or by exercising reasonable diligence would have been known, to a workforce member or other agent of the covered entity (other than the person who committed the breach). The clock starts even if the entity has not yet completed its forensic investigation — discovery is independent of investigation completion. Late notification beyond 60 days is itself a separate HIPAA violation.
What is the four-factor breach risk assessment?
When an impermissible use or disclosure occurs, the entity must determine whether it rises to a 'breach' requiring notification by assessing four factors: (1) nature and extent of the PHI involved (e.g., direct identifiers, financial details, sensitive diagnoses); (2) unauthorized person who used the PHI or to whom disclosed; (3) whether the PHI was actually acquired or viewed; (4) the extent to which the risk to the PHI has been mitigated. The entity must demonstrate a low probability that the PHI has been compromised to avoid notification — and document the analysis.
Authoritative sources