HIPAA Breach Notification: Who, When, and How
A data breach involving protected health information (PHI) triggers mandatory notification obligations under the HIPAA Breach Notification Rule. Understanding who must notify, when notification must occur, and how to execute notification properly is essential for compliance professionals managing breach response protocols.
Understanding Your Notification Obligations
The HIPAA Breach Notification Rule, codified at 45 CFR §164.400-414, requires covered entities and business associates to notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI. This timeline is strict—regulators have consistently enforced it, and delays can result in separate violations from the breach itself.
A "breach" means the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of that information. Importantly, not every unauthorized access constitutes a breach. You must conduct a risk assessment to determine whether there is a reasonable likelihood that PHI has been compromised (45 CFR §164.404(b)). This assessment should evaluate factors including: (1) the nature and scope of PHI involved; (2) who accessed it and whether they actually acquired it; (3) what safeguards were in place; and (4) whether there is evidence of misuse. Document this analysis thoroughly, as it demonstrates your good-faith compliance efforts.
Who Must Notify
Covered entities bear primary responsibility for breach notification. Under 45 CFR §164.400, a covered entity must notify each individual whose unsecured PHI has been compromised. However, if you use a business associate who experiences a breach, the business associate must notify you, and you then become responsible for notifying affected individuals and regulators.
In practice, establish clear contractual language defining breach discovery and notification procedures with all business associates. Your Business Associate Agreement (BAA) should specify that the business associate must notify you "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach." This buffer allows you to complete your own assessment and meet your notification deadlines.
The 60-Day Timeline: Calculating and Meeting It
The 60-day clock starts on discovery of the breach, not on the date the breach occurred. "Discovery" means the first day an employee or contractor knows of the breach. This creates a practical compliance obligation: establish procedures ensuring that potential breaches are reported up the chain immediately. A delayed discovery report can itself trigger regulatory liability.
Your notification plan should account for the time needed to: (1) complete the risk assessment; (2) identify affected individuals; (3) locate current contact information; and (4) prepare and send notices. For breaches affecting large populations, the logistics alone can consume weeks. Begin these tasks as soon as a breach is suspected, even if your assessment is incomplete—parallel processing reduces the risk of missing the deadline.
How to Notify: Content and Method Requirements
Under 45 CFR §164.404(b), your notification must include: (1) a description of what happened and the date of the breach and discovery date; (2) a description of the types of PHI involved; (3) steps affected individuals should take to protect themselves; (4) what your organization is doing to investigate and mitigate harm; (5) contact information for questions; and (6) steps you are taking to prevent future breaches. Avoid vague language—specificity demonstrates transparency and reduces post-breach litigation risk.
You must provide notice by first-class mail to the last known address. If mail is returned as undeliverable, you may supplement with email or telephone. For breaches affecting 10 or more residents of a jurisdiction, you must also notify prominent media outlets in that area without unreasonable delay (45 CFR §164.404(b)).
Regulatory and HHS Notification
Simultaneously with individual notifications, you must notify the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). For breaches affecting fewer than 500 residents, you may submit notification via the HHS website at the time you notify individuals. For larger breaches, you must notify HHS at the same time as media notification.
State attorneys general must also be notified for breaches affecting state residents. Many states have enacted their own breach notification laws with requirements that may exceed HIPAA's baseline.
Practical Takeaway: Documentation and Prevention
Maintain detailed records of your breach discovery, risk assessment, notification efforts, and regulatory submissions. These documents form your evidence of compliance with the Breach Notification Rule. Concurrently, use every breach as a trigger for reviewing your Technical, Physical, and Administrative Safeguards under 45 CFR §164.308-312. Regulators increasingly expect that breaches prompt documented remediation, not merely notification.