The HIPAA breach notification requirements require HIPAA covered entities and business associates to identify and investigate impermissible uses or disclosures of unsecured protected health information, perform the required breach risk assessment, and provide notice to affected individuals and, in specified circumstances, to the Secretary of the U.S. Department of Health and Human Services and the media within the time limits set by the HIPAA Breach Notification Rule.
A breach is an impermissible use or disclosure of protected health information under the HIPAA Privacy Rule that compromises the security or privacy of the information, subject to defined exceptions. The HIPAA Breach Notification Rule applies to unsecured protected health information, which means protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through an approved technology or methodology. When a potential incident occurs, the organization must assess whether a breach has occurred by evaluating the nature and extent of the protected health information involved, the unauthorized person who used the information or received it, whether the information was actually acquired or viewed, and the extent to which risk to the protected health information has been mitigated.
Notice to affected individuals is required without unreasonable delay and no later than 60 calendar days after discovery of the breach by the covered entity. Individual notice must be written in plain language and include the types of information involved, steps individuals should take to protect themselves, what the covered entity is doing to investigate and reduce harm and prevent recurrence, and contact procedures for questions. Notice is provided by first class mail to the individual or, if the individual has agreed, by email. Substitute notice is required when contact information is insufficient or out of date, with additional requirements when the number of affected individuals exceeds a specified threshold. Urgent situations may require telephone or other means in addition to the written notice.
Notification to the Secretary is also required. For breaches involving 500 or more individuals in a state or jurisdiction, the covered entity must notify the Secretary without unreasonable delay and no later than 60 calendar days after discovery. For breaches involving fewer than 500 individuals, the covered entity must maintain a log and submit the information to the Secretary within 60 calendar days after the end of the calendar year.
Media notice is required for breaches involving 500 or more residents of a state or jurisdiction. This notice must be provided to prominent media outlets serving the area without unreasonable delay and no later than 60 calendar days after discovery.
Business associates have separate duties. A business associate must notify the covered entity of a breach of unsecured protected health information without unreasonable delay and no later than 60 calendar days after discovery, and the notice must include information the covered entity needs to meet its notification obligations.
The HIPAA Breach Notification Rule permits delay of notification when a law enforcement official states that notice would impede a criminal investigation or cause damage to national security, and the delay must follow the scope and duration specified by the law enforcement request.
Regulatory Text About HIPAA Breach Notification Requirements
45 CFR 164.402 defines when an incident is treated as a reportable breach and sets the required risk assessment standard. The regulation states “Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part.” This text is relevant because breach notification duties apply only after an event meets the regulatory breach definition.
45 CFR 164.402 establishes the presumption of breach and the required factors for the breach risk assessment. The regulation states “is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability.” This text is relevant because the presumption and the low probability standard determine whether notification is required after an impermissible use or disclosure.
45 CFR 164.404 sets the individual notification obligation and the outer time limit for providing notice. The regulation states “a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days.” This text is relevant because it is the timeliness requirement used to evaluate compliance with individual breach notices.
45 CFR 164.404 specifies required elements and readability for the individual notice content. The regulation states “The notification required by paragraph (a) of this section shall be written in plain language.” This text is relevant because breach notices must meet a content and format standard, not only a delivery deadline.
45 CFR 164.406 sets the media notice trigger and the media notice deadline. The regulation states “notify prominent media outlets serving the State or jurisdiction” and it also states “without unreasonable delay and in no case later than 60 calendar days.” This text is relevant because it creates an additional notification obligation when the breach affects more than 500 residents of a State or jurisdiction.
45 CFR 164.408 establishes notification to the Secretary and distinguishes between larger breaches and smaller breaches. The regulation states “For breaches of unsecured protected health information involving 500 or more individuals, a covered entity shall” and it also states “contemporaneously with the notice required by § 164.404(a).” This text is relevant because it sets the timing and coordination requirement for reporting larger breaches to the Secretary.
45 CFR 164.408 also requires annual reporting for smaller breaches. The regulation states “not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a).” This text is relevant because it establishes the annual deadline and the documentation expectation for breaches involving less than 500 individuals.
45 CFR 164.410 sets the business associate notice duty and the business associate deadline. The regulation states “a business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity” and it also states “without unreasonable delay and in no case later than 60 calendar days.” This text is relevant because covered entity notification duties often depend on timely reporting by business associates.
45 CFR 164.412 permits a law enforcement delay under defined conditions. The regulation states “If a law enforcement official states” and it also states “delay such notification, notice, or posting for the time period specified.” This text is relevant because it is the regulatory basis for delaying required notices when law enforcement states that notice would impede an investigation or cause damage to national security.
45 CFR 164.414 assigns the burden of proof for breach notification compliance and for determinations that an incident is not a breach. The regulation states “shall have the burden of demonstrating that all notifications were made as required by this subpart.” This text is relevant because it drives documentation and retention practices used to support audit and enforcement reviews.