HIPAA Breach Notification Requirements: Timelines, Rules, and What You Must Do

A data breach involving protected health information (PHI) triggers specific legal obligations under HIPAA's Breach Notification Rule. These aren't suggestions. They're federal requirements with financial penalties for non-compliance.

If your practice or organization experiences a breach, or even suspects one, here's what you need to know.

What Constitutes a Breach Under HIPAA

A breach is any unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of that information. This includes:

• A laptop containing patient records is stolen
• An employee accesses patient files without a legitimate work reason
• PHI is sent to the wrong email address or fax number
• A hacking incident exposes a database containing patient data
• Paper records are improperly disposed of (not shredded)
• A business associate's system is compromised

HIPAA presumes that any impermissible use or disclosure of PHI is a breach unless the covered entity can demonstrate a "low probability" that the PHI was actually compromised. This is determined through a four-factor risk assessment.

The Four-Factor Risk Assessment

When an incident occurs, you must evaluate these four factors to determine whether notification is required:

1. The nature and extent of the PHI involved. What types of identifiers and clinical information were exposed? Social Security numbers and diagnoses are higher risk than a name alone.

2. The unauthorized person who used the PHI or to whom the disclosure was made. Was it an internal employee who accessed records inappropriately, or was it an external hacker? Was it another covered entity or a random third party?

3. Whether the PHI was actually acquired or viewed. Was the data merely exposed (like an unencrypted laptop left in a car) or was it confirmed to have been accessed?

4. The extent to which the risk has been mitigated. Did you recover the data? Did the unauthorized recipient confirm destruction? Was the exposure window limited?

If, after this assessment, there is more than a low probability that the PHI was compromised, it's a breach, and notification is required.

Who You Must Notify

Affected individuals

Every individual whose PHI was involved must be notified. Notification must be in writing, sent by first-class mail to the individual's last known address (or by email if the individual has agreed to electronic communication).

The notification must include:

• A description of the breach (what happened)
• The types of information involved
• Steps individuals should take to protect themselves
• What the organization is doing in response
• Contact information for questions

The Department of Health and Human Services (HHS)

All breaches must be reported to HHS through the Office for Civil Rights (OCR) breach reporting portal.

• Breaches affecting 500 or more individuals: Must be reported to HHS no later than 60 days after discovery. HHS publishes these on the public "Wall of Shame," a searchable database of large breaches.
• Breaches affecting fewer than 500 individuals: Must be reported to HHS within 60 days of the end of the calendar year in which the breach was discovered. These can be submitted in an annual log.

Prominent media outlets

If a breach affects 500 or more residents of a single state or jurisdiction, you must also notify prominent media outlets serving that area. This is in addition to individual notification and HHS reporting.

The Timeline: 60 Days

The clock starts when the breach is discovered, not when it occurred. Discovery happens when the breach is first known, or when it would have been known through reasonable diligence.

From the date of discovery:

• Individual notification: Without unreasonable delay, no later than 60 calendar days
• HHS notification (500+): No later than 60 calendar days
• Media notification (500+ in a state): No later than 60 calendar days

If a business associate discovers a breach, they must notify the covered entity within the timeframe specified in the BAA (typically 30 days or fewer), and the covered entity's 60-day clock starts from the date the business associate discovered or should have discovered the breach.

Business Associate Responsibilities

Business associates, including form platforms, cloud providers, and billing services, have their own obligations:

• They must notify the covered entity of any breach of unsecured PHI
• They must identify each individual affected
• They must provide any information the covered entity needs for its own notification obligations
• The BAA should specify the timeframe for this notification (usually 24-72 hours for discovery, though HIPAA's outer limit is 60 days)

Prevention: The Best Breach Response Is No Breach

Breach notification is an obligation you hope to never trigger. Prevention is where the real work happens:

Encrypt everything. HIPAA's Breach Notification Rule has a safe harbor for encrypted data. If PHI is encrypted using NIST-approved standards (AES-256 for data at rest, TLS 1.3 in transit) and the encryption key isn't compromised, it's not considered "unsecured PHI," and the breach notification requirements don't apply. Encryption is the single most effective breach prevention measure.

Limit access. Role-based access controls ensure staff only see the patient data they need for their job. Fewer access points means fewer potential breach vectors.

Audit regularly. Review access logs. Identify unusual patterns. The faster you detect unauthorized access, the smaller the breach and the faster you can respond.

Train your team. Most breaches stem from human error: misdirected emails, stolen devices, phishing attacks. Regular, practical training reduces the most common breach causes.

Choose vendors carefully. Every business associate that handles PHI is a potential breach source. Evaluate their security posture, require BAAs, and verify that they use appropriate encryption and access controls.

Formisoft is built with breach prevention in mind: AES-256 encryption at rest, TLS 1.3 in transit, US-hosted infrastructure, role-based access controls, audit logging, and BAA available. Because the best way to handle breach notification requirements is to never need them. Learn more at formisoft.com.