HIPAA Breach Notification Rule: Your Guide to HIPAA Breaches


Unravel the intricacies of the HIPAA Breach Notification Rule in our comprehensive guide. Gain valuable insights on how to effectively handle and report HIPAA breaches to protect sensitive health information and maintain compliance with crucial regulations. 

What is the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule is a vital component of the Health Insurance Portability and Accountability Act (HIPAA) that mandates covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media, following a breach of unsecured protected health information (PHI). 

The rule outlines detailed requirements for breach assessment, reporting timelines, and necessary steps to mitigate potential harm to individuals. By understanding this rule, healthcare organizations can uphold patient privacy, foster trust, and remain compliant with HIPAA regulations.

What Constitutes a Breach of HIPAA? 

A HIPAA breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI in a manner that compromises its security or privacy. If an incident poses a significant risk of financial, reputational, or other harm to the individual, it is considered a breach and must be reported under the HIPAA Breach Notification Rule.

Breach Assessment Factors

Breach assessment factors can include all or any of the following:

  • Unauthorized Acquisition: This includes scenarios where data is accessed, copied, or taken without the individual’s consent.
  • Unauthorized Access: If PHI is viewed, opened, or accessed by an individual who does not have the right to do so, it qualifies as a breach. Even if no further action is taken, the unauthorized access itself is sufficient to trigger breach reporting.
  • Unauthorized Use: This includes instances where PHI is employed inappropriately or without the individual’s consent.
  • Unauthorized Disclosure: When PHI is shared with unauthorized individuals or entities, whether inadvertently or deliberately, it is considered a breach. This can occur through various means, such as sharing sensitive information with unauthorized recipients.
  • Compromised Security or Privacy: A breach occurs if the security or privacy of PHI is compromised in any manner, resulting in potential harm or risk to the individual’s financial, reputational, or personal well-being.
  • Significant Risk of Harm: If an incident creates a substantial risk of financial, reputational, or other types of harm, it qualifies as a breach and must be reported.
  • Evaluation of the Incident: Such evaluation involves considering the potential adverse effects on the individual’s rights and interests.

It’s important to note that the breach assessment factors are not limited to the above seven points and may involve additional considerations based on the specific circumstances of each incident. If in doubt, organizations subject to HIPAA should seek legal or compliance expertise to ensure accurate and timely reporting under the HIPAA Breach Notification Rule.

What is Unsecured Protected Health Information?

Unsecured Protected Health Information refers to any PHI that is not protected through encryption or other recognized security measures, making it susceptible to unauthorized access, use, or disclosure.

Unsecured PHI poses a higher risk of potential harm to individuals, and if a breach involving unsecured PHI occurs, it triggers the requirement for notification to affected individuals, the HHS, and even the media.

Organizations handling PHI must ensure that appropriate security measures are in place to safeguard this sensitive information and prevent breaches.

HIPAA Breach Notification Rule 

HIPAA Breach Notification Rule requires covered entities and business associates to promptly notify affected individuals, the Secretary of Health and Human Services (HHS), as follows:

Individual Notice

When a breach affects 500 or more individuals, covered entities must notify each affected person individually, either by written letter or electronic means. The notice must contain specific information about the breach, the types of PHI involved, steps the individual should take to protect themselves, and contact information for further inquiries.

Media Notice

In the event of a breach affecting five hundred or more individuals within a single state or jurisdiction, covered entities are required to also notify prominent media outlets serving that state or jurisdiction. The purpose of media notices is to inform the public about the breach, raise awareness, and provide affected individuals with information on how to protect themselves.

Secretary of Breaches Notice

The HIPAA Breach Notification Rule requires covered entities to notify the HHS if they discover a breach of unsecured PHI. The notification must be submitted using the Web portal provided, and covered entities have specific obligations depending on the number of individuals affected by the breach. 

Again, for breaches affecting five hundred or more individuals, the covered entity must notify the Secretary without unreasonable delay and within 60 days from the discovery of the breach. 

For breaches affecting fewer than five hundred individuals, the notification must be submitted within 60 days of the end of the calendar year in which the breach was discovered, but the covered entity may report such breaches at the time they are discovered.

Substitute Breach Notice on the Website

The Substitute Breach Notice on the website is an essential requirement under the HIPAA Breach Notification Rule. Again, when a covered entity experiences a breach affecting five hundred or more individuals, they must promptly provide a substitute breach notice on their website.

The notice should include specific details about the breach, such as the date of the incident, the types of information involved, and the steps individuals should take to protect themselves. This notification helps ensure affected individuals are informed about the breach and can take appropriate actions to safeguard their sensitive health information.

Business Associates and HIPAA Breach Notifications

Business Associates have a significant responsibility under the HIPAA Breach Notification Rule when encountering a PHI breach. Upon discovery of a breach, both HIPAA-covered entities and Business Associates must adhere to specific reporting requirements.

Failing to comply can lead to severe consequences, including compromising patient privacy, facing substantial noncompliance fines, and encountering reputational damage and legal action. 

When Should a HIPAA Breach Notification Go Out?

A HIPAA breach notification should be sent out promptly upon the discovery of a breach. The HIPAA Breach Notification Rule requires covered entities and business associates to notify impacted individuals without unreasonable delay and no later than 60 calendar days from the discovery of the breach. 

Administrative Requirements and Burden of Proof in a HIPAA Breach

Covered entities and business associates must maintain comprehensive documentation of their breach incident response, including breach assessment, notifications, and remediation efforts. 

In case of an audit or investigation, these records serve as evidence of compliance with the HIPAA Breach Notification Rule.

State Breach Notifications vs HIPAA

State breach notification laws may impose stricter requirements than HIPAA. Most states have their own breach notification laws, mandating prompt notifications to affected individuals and the state attorney general’s office.

While HIPAA may exempt covered entities, business associates might still be obligated to provide breach notifications under state laws, often with shorter deadlines than HIPAA’s sixty-day limit. Delaying notifications could lead to violations of state laws and result in financial penalties from state attorney generals.

To ensure compliance, covered entities and business associates must stay updated on the breach notification laws in the states they operate.

HIPAA Breach Notification Penalties

Organizations failing to adhere to the breach notification requirements may face significant civil and criminal consequences, making it essential for covered entities and business associates to understand and adhere to the rules diligently as follows:

  1. Covered Entities (CEs) and Business Associates (BAs) failing to comply with HIPAA Rules can face civil and criminal penalties. Civil penalties are imposed by the Office for Civil Rights (OCR) and can be substantial. State attorneys general may also bring civil actions for HIPAA violations on behalf of state residents.
  1. Criminal penalties can be imposed by the U.S. Department of Justice for knowingly misusing health identifiers or unauthorized acquisition or disclosure of PHI.
  1. Breaches of unsecured PHI must be promptly reported to affected individuals, the Secretary of HHS, and, in some cases, the media. Significant breaches are investigated by OCR, and penalties may be imposed for non-compliance.
  1. OCR conducts complaint investigations, compliance reviews, and audits, imposing penalties for failure to comply with the HIPAA Rules. Penalties depend on the level of culpability, ranging from a minimum of $100 per incident to $50,000 or more for willful neglect not corrected within thirty days.
  1. HHS also conducts periodic audits to ensure compliance with HIPAA Rules, examining mechanisms for compliance and identifying risks and vulnerabilities. Other laws and requirements may also apply, such as special handling of sensitive health information and privacy protections for minors’ health information.

Breach Response Best Practices

It is advisable for organizations to proactively establish a comprehensive data breach response plan incorporating best practices. Below is a list of 8 best practices for breach response to help you swiftly and effectively address security incidents, minimize potential damages, and maintain trust with stakeholders in the event of a data breach.

1. Preparation

Conduct periodic training and simulations for employees to ensure they are familiar with the plan and can respond effectively in the event of a breach. Implement robust security measures, including encryption, access controls, and network monitoring, to preemptively safeguard sensitive data.

Want to get HIPAA certified? Check out our list of the top HIPAA certifications.

2. Detection

Monitor network activity and user behavior in real-time to detect anomalous patterns, unauthorized access attempts, or suspicious activities. Automated alerts and threat intelligence integration can significantly improve the speed and accuracy of breach detection.

3. Identification

Determine what information has been compromised, how it occurred, and the potential impact on affected individuals and the organization. A clear understanding of the breach helps in formulating an appropriate response strategy.

4. Isolation

Isolate the affected systems or networks to prevent the further spread of the breach and limit potential damage. Temporarily disconnect compromised assets to help mitigate the breach’s impact and protect other critical resources. Simultaneously, ensure that essential services remain operational to avoid unnecessary disruption.

5. Eradication

Work diligently to eliminate the root cause of the breach and remove any malware, unauthorized access points, or vulnerabilities that allowed the breach to occur. Close security gaps, patch vulnerabilities, and perform thorough security updates to prevent similar incidents in the future.

6. Investigation

Conduct a detailed post-incident analysis to determine the extent of the breach, understand the attacker’s motives, and assess the effectiveness of the response plan. Collaborate with internal security teams, external experts, and law enforcement, if necessary, to gather evidence for potential legal actions or regulatory reporting.

7. Notification

Comply with legal and regulatory requirements by promptly notifying affected individuals, relevant authorities, and other stakeholders about the breach. Provide clear and concise information about the incident’s impact, steps taken to mitigate harm, and measures individuals can take to protect themselves from potential harm.

8. Fortification

Strengthen security measures and defenses based on lessons learned from the breach. Implement enhanced security protocols, conduct regular risk assessments, and apply the latest cybersecurity practices to fortify the organization’s overall security posture. 

The HIPAA Rule as a Pivotal Safeguard in the HealthCare Industry

The HIPAA Breach Notification Rule has been put in place to ensure that protected health information remains shielded from unauthorized access and disclosure. As cyber threats continue to grow more sophisticated, healthcare organizations and business associates must proactively prepare for the inevitable challenge of data breaches. 

This comprehensive guide sheds light on the crucial elements of the HIPAA Breach Notification Rule, emphasizing the importance of preparedness, detection, identification, and swift response.

By embracing the best practices listed in this article and cultivating a resilient breach response plan, entities can not only meet legal obligations but also protect patient trust and preserve their reputation as responsible custodians of sensitive information. 

For further information on the HIPAA Breach Notification Rule and to discover the essential steps to ensure HIPAA compliance and enhance your data security, download the Perimeter81 HIPAA Compliance Checklist.


What does the breach notification rule require?
The breach notification rule under HIPAA requires covered entities and business associates to promptly notify affected individuals, the Secretary of Health and Human Services, and, in some cases, the media, in the event of a breach of unsecured protected health information (PHI). The rule mandates thorough risk assessments to determine the probability of PHI compromise and determines the necessity of notifying individuals and authorities.
Can you fail to notify of a HIPAA breach?
Failing to notify affected individuals, the Secretary of HHS, and, where required, the media of a HIPAA breach can lead to serious consequences, including civil and criminal penalties. Timely and accurate breach notification is essential to maintain compliance with HIPAA regulations and to protect patients’ privacy and security.
What is the HITECH compliant breach notification policy?
A HITECH compliant breach notification policy aligns with the Health Information Technology for Economic and Clinical Health (HITECH) Act and the HIPAA breach notification rule. It outlines procedures for promptly identifying, assessing, and reporting breaches, as well as measures to mitigate risks and safeguard sensitive health information, ensuring compliance with HITECH regulations.
What are the 3 exceptions to the definition of a breach?
The three exceptions to the definition of a breach are situations where the impermissible use or disclosure of PHI does not require breach notification. These exceptions include: (1) unintentional access or acquisition of PHI by an authorized workforce member; (2) inadvertent disclosure of PHI between authorized individuals within the same covered entity; and (3) instances where the unauthorized person who obtained PHI would not be able to retain the information.
How do you handle a breach of HIPAA?
When a breach of HIPAA occurs, the covered entity or business associate must conduct a risk assessment to determine the probability of PHI compromise. If the assessment indicates a significant risk, appropriate breach notifications must be issued to affected individuals, the Secretary of HHS, and, if required, the media. Additionally, steps should be taken to investigate and mitigate the breach, and future preventive measures should be implemented.
Who must be notified of a privacy breach?
A privacy breach, where there is unauthorized use or disclosure of protected health information, must be reported to the affected individuals, the Secretary of HHS, and, in certain circumstances, to the media. The breach notification should be conducted in a timely manner, ensuring that individuals are promptly informed about the security or privacy compromise.
What’s the difference between a HIPAA breach and a violation?
A HIPAA breach refers specifically to the impermissible use or disclosure of protected health information that compromises its security or privacy. A violation, on the other hand, encompasses a broader range of non-compliance with HIPAA regulations, including failure to implement required safeguards, unauthorized access to PHI, or neglecting to follow HIPAA policies and procedures. A breach is a type of violation, but not all violations are breaches.