What is the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule requires covered entities—and in many cases their business associates—to notify affected individuals, the U.S. Department of Health and Human Services (HHS), and sometimes the media when unsecured PHI is impermissibly used or disclosed.

Unlike some security frameworks that focus only on prevention, HIPAA explicitly regulates what happens after an incident. Notification timelines are tight. Decision-making must be documented. Teams that have not rehearsed breach workflows often miss deadlines or produce incomplete reports.

This guide covers:

How HIPAA defines a breach (and key exceptions)
The four-factor risk assessment used to determine reportability
Notification requirements, timelines, and content expectations
Practical steps to prepare before an incident occurs

Related guides:

Healthcare team responding to a data breach incident

GIF via GIPHY

Key takeaways

A breach is generally an impermissible use or disclosure of PHI that compromises security or privacy, unless a specific exception applies or a risk assessment shows low probability of compromise.
Individual notification is typically required within 60 days of discovering a breach, with shorter expectations in many operational playbooks.
HHS reporting deadlines depend on breach size: larger breaches (500+ individuals in a state or jurisdiction) have immediate reporting expectations; smaller breaches may be reported annually.
Business associates must notify covered entities without unreasonable delay and generally no later than 60 days after discovery.
Documentation is mandatory. OCR expects evidence of discovery date, risk assessment rationale, and notification actions.

What counts as a breach under HIPAA?

HIPAA defines a breach as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.

Common breach scenarios include:

Ransomware affecting systems containing ePHI
Misdirected faxes or emails with patient records
Lost or stolen unencrypted laptops or phones with PHI
Unauthorized employee snooping into celebrity or acquaintance records
Vendor misconfigurations exposing patient databases

Exceptions (not treated as breaches)

HIPAA recognizes three exceptions where an impermissible use/disclosure may not be a breach:

Unintentional acquisition, access, or use by a workforce member acting in good faith within scope of authority, without further impermissible disclosure
Inadvertent disclosure between authorized persons at the same covered entity or business associate, with no further impermissible disclosure
Good faith belief that the unauthorized person would not reasonably retain the information

Even when exceptions may apply, document the incident and your analysis. Ambiguity favors preparation.

Unsecured PHI

Breach notification applies to unsecured PHI—PHI not rendered unusable, unreadable, or indecipherable through approved encryption or destruction methods. Properly encrypted data lost on a device may not trigger notification if the encryption key was not also compromised (facts matter—consult counsel).

The four-factor breach risk assessment

When impermissible use or disclosure occurs and exceptions do not clearly apply, perform a breach risk assessment considering:

Factor	Questions to answer
1. Nature and extent of PHI	What types of identifiers and clinical/financial details were involved?
2. Unauthorized person	Who received or accessed the PHI? Can they re-disclose it?
3. Acquisition or viewing	Was PHI actually acquired, viewed, or only potentially accessible?
4. Mitigation	How quickly was exposure contained? Were recipients asked to delete/return data?

If the assessment concludes there is a low probability that PHI was compromised, it may not be a reportable breach—but you must retain written documentation of that conclusion.

Who must be notified and when

Notification obligations depend on role and breach scale:

Audience	Covered entity responsibility	Typical timeline
Affected individuals	Written notice (mail, email if agreed, or substitute if contact info insufficient)	Without unreasonable delay, not later than 60 days after discovery
HHS (OCR)	Breach report via OCR portal	500+ individuals in a state/jurisdiction: within 60 days; smaller breaches: annual log
Prominent media	Notice if 500+ residents of a state/jurisdiction affected	Without unreasonable delay, not later than 60 days
Business associate → covered entity	BA notifies CE of breach at BA	Without unreasonable delay, not later than 60 days after discovery

Discovery date matters. HIPAA generally treats discovery as when any workforce member (other than the person committing the breach) knows or should have known of the breach.

Notifying affected individuals

Individual breach notices must include, at minimum:

A brief description of what happened, including date of breach and discovery
Types of PHI involved
Steps individuals should take to protect themselves
Description of your investigation and mitigation
Contact procedures for questions (toll-free number, email, website)

Use plain language. Patients are stressed; clarity reduces support volume and reputational harm.

Operational tips:

Prepare notification templates in advance (legal review recommended)
Define who approves content (privacy officer, legal, communications)
Track delivery failures and substitute notice procedures
Offer credit monitoring or identity protection when appropriate (not always required, but sometimes expected)

Reporting to HHS and media (large breaches)

HHS reporting

Submit breach reports through the HHS OCR breach portal. Large breaches require timely submission; smaller breaches may be aggregated in an annual report.

Maintain an internal breach log either way. OCR may request supporting documentation during investigations.

Media notification

When 500 or more residents of a state or jurisdiction are affected, provide notice to prominent media outlets serving that area. Coordinate with PR and legal to ensure accuracy and consistency with individual notices.

Business associate breach obligations

Business associates that discover a breach of unsecured PHI must notify the covered entity. The BAA should specify:

Timeline and method of notification
Information the BA must provide to support CE notification
Cooperation during investigation and OCR inquiries
Subcontractor flow-down requirements

Covered entities remain responsible for individual notification in most cases, but delays at the BA layer compress the CE's effective timeline. Monitor vendor incident clauses during procurement.

How to prepare before a breach happens

Build a breach program that executes under pressure:

Incident response plan with HIPAA-specific playbooks
Roles and escalation (privacy officer, security officer, legal, IT, communications)
Forensic retainer or internal capability to preserve evidence quickly
Pre-approved notification templates and mailing workflows
Tabletop exercises twice per year including BA scenarios
Encryption standards to reduce unsecured PHI exposure
Logging and monitoring to shorten discovery time

Run a "time-to-notify" drill: simulate discovery on day zero and walk through the 60-day clock with assigned owners.

Streamline breach readiness with SecureSlate

Breach notification fails when policies exist but execution trails are missing. SecureSlate helps teams maintain operational readiness.

SecureSlate helps teams:

Store incident response plans, breach decision logs, and notification templates
Assign control owners for monitoring, encryption, and access management
Track vendor BAAs with breach notification clauses and review dates
Maintain audit-ready evidence that supports OCR inquiries

Get started for free to build breach readiness into everyday compliance workflows.

FAQ

What is the HIPAA breach notification deadline?

Individual notification and most HHS reporting for large breaches must occur without unreasonable delay and no later than 60 days after discovery, unless law enforcement requests a delay.

Is ransomware always a reportable HIPAA breach?

Not automatically. You must assess whether PHI was acquired or exfiltrated and whether encryption or other safeguards render data unusable. Document the analysis either way.

Do we notify patients if PHI was encrypted?

If PHI was encrypted in a manner consistent with HIPAA guidance and the encryption key was not compromised, notification may not be required. Confirm facts with legal counsel.

Who discovers a breach for timeline purposes?

Discovery generally occurs when any person other than the wrongdoer, acting in a workforce capacity, knows or should have known of the breach.

Can business associates notify patients directly?

Typically the covered entity notifies individuals, but BAAs may assign specific responsibilities. Clarify this in contracts before incidents occur.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to HIPAA and related regulations, you should consult a licensed attorney.

What is the HIPAA Breach Notification Rule? Timelines, requirements, and response steps