The HIPAA Breach Notification Rule is the federal HIPAA requirement that obligates HIPAA Covered Entities and, in defined circumstances, Business Associates to provide written notifications after the discovery of a breach of unsecured protected health information, including notice to affected individuals, notice to the Secretary of the U.S. Department of Health and Human Services, and notice to prominent media outlets when the breach involves more than 500 residents of a state or jurisdiction, all issued without unreasonable delay and within required time limits.
A breach under the HIPAA Breach Notification Rule is an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of protected health information. An impermissible use or disclosure is presumed to be a breach unless the regulated entity demonstrates a low probability that protected health information has been compromised based on a documented risk assessment. That risk assessment evaluates the nature and extent of the protected health information involved, including identifiers and likelihood of reidentification, the unauthorized person who used the protected health information or to whom the disclosure was made, whether the protected health information was actually acquired or viewed, and the extent to which the risk to the protected health information has been mitigated.
The HIPAA Breach Notification Rule applies to breaches of unsecured protected health information, which is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through approved methods. A regulated entity may provide notifications after an impermissible use or disclosure without completing a risk assessment, but the entity remains responsible for meeting the content, timing, and delivery requirements.
Individual notice must be provided to each affected person following discovery of a breach and not later than 60 calendar days after discovery. Written notice is typically provided by first class mail to the individual’s last known address, with email permitted when the individual has agreed to electronic notice. When there is insufficient or out of date contact information, substitute notice is required. For fewer than 10 individuals, substitute notice may be provided by an alternative form of written notice, by telephone, or by other means. For 10 or more individuals, substitute notice must be provided through a conspicuous posting on the home page of the covered entity’s website for at least 90 days or through major print or broadcast media where affected individuals likely reside, and the notice must include a toll free telephone number active for at least 90 days.
Notice to the Secretary of the U.S. Department of Health and Human Services is required through the prescribed reporting process. For breaches affecting 500 or more individuals, notification to the Secretary is due without unreasonable delay and not later than 60 calendar days after discovery. For breaches affecting fewer than 500 individuals, the covered entity maintains a log and submits the information to the Secretary within 60 days after the end of the calendar year in which the breach was discovered. Media notice is required when a breach involves more than 500 residents of a state or jurisdiction and must be provided to prominent media outlets serving that area within the same general timing standard.
Business Associate obligations include providing breach notifications to the covered entity as required by the HIPAA Breach Notification Rule and the Business Associate Agreement so the covered entity can meet individual, media, and government reporting duties. Documentation of the risk assessment, notifications, and mitigation actions supports compliance verification and enforcement readiness.
Staff Training about the HIPAA Breach Notification Rule
HIPAA staff training supports compliance with the HIPAA Breach Notification Rule by establishing workforce procedures for identifying, escalating, and documenting suspected breaches of unsecured protected health information. Training should define what constitutes an impermissible use or disclosure under the HIPAA Privacy Rule and how workforce members report events such as misdirected communications, lost or stolen devices, unauthorized access, ransomware indicators, or improper disposal. Training should assign reporting channels, required internal timelines, and the information to capture at the time of discovery, including the date of discovery, the systems involved, the types of protected health information affected, and the individuals or departments notified. Training should align incident reporting with the organization’s risk assessment workflow used to evaluate the probability that protected health information has been compromised and to support notification decisions and documentation. Training completion records and knowledge checks support onboarding and annual refresher cycles. The HIPAA Journal Training is online, comprehensive, and suitable for onboarding and annual refresher training.