Everything you need to know about 45 CFR 164.400-414 — who must be notified, when, how, and what happens if you do not comply.
The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D, sections 164.400 through 164.414) requires covered entities and their business associates to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, following a breach of unsecured protected health information (PHI).
The rule was enacted as part of the HITECH Act in 2009 and establishes specific timelines, methods, and content requirements for breach notifications. It applies to every covered entity (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and every business associate that handles PHI on their behalf.
Not every security incident is a breach. Under 45 CFR 164.402, a breach is specifically defined as the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI. A security incident, by contrast, is any attempted or successful unauthorized access to information systems.
Even if PHI is improperly accessed or disclosed, it is not considered a breach if it falls under one of these three exceptions:
Unintentional acquisition, access, or use by a workforce member acting in good faith and within their scope of authority.
Inadvertent disclosure between persons authorized to access PHI at the same covered entity or business associate.
The covered entity has a good faith belief that the unauthorized person could not reasonably have retained the information.
If none of the three exceptions apply, you must perform a four-factor risk assessment to determine whether notification is required:
If the assessment demonstrates a low probability that the PHI was compromised, notification is not required. However, if there is any uncertainty, HIPAA presumes a breach has occurred and notification is required unless you can demonstrate otherwise.
Written notice must be sent to each affected individual within 60 days of discovering the breach. The notice must be sent by first-class mail (or email if the individual has agreed to electronic notice). If contact information is insufficient for 10 or more individuals, substitute notice must be provided through a conspicuous posting on the organization's website for 90 days or through major print or broadcast media.
For breaches affecting 500 or more individuals, you must notify HHS simultaneously with individual notification — within 60 days. These breaches are posted on the HHS "Wall of Shame" breach portal. For breaches affecting fewer than 500 individuals, you may submit notifications to HHS in an annual report, due within 60 days of the end of the calendar year in which the breaches were discovered.
If a breach affects 500 or more individuals in a single state or jurisdiction, you must notify prominent media outlets serving that area within 60 days. This is in addition to individual and HHS notification. The media notice must contain the same content as the individual notice.
OCR enforces penalties based on the level of culpability. The penalty amounts are adjusted annually for inflation.
| Tier | Culpability Level | Per Violation | Annual Maximum |
|---|---|---|---|
| 1 | Did not know (and could not have known) | $100–$50,000 | $25,000 |
| 2 | Reasonable cause (not willful neglect) | $1,000–$50,000 | $100,000 |
| 3 | Willful neglect, corrected within 30 days | $10,000–$50,000 | $250,000 |
| 4 | Willful neglect, not corrected | $50,000 | $1,500,000 |
Largest HIPAA settlement ever. Breach of 78.8 million records due to a phishing attack. OCR found failures in risk analysis, access controls, and monitoring.
Breach affecting 2.81 million individuals. OCR cited insufficient monitoring and failure to conduct an enterprise-wide risk analysis.
Breach caused by a phishing attack on 23 employees. Settlement highlighted failures in workforce training and access management.
Penalized specifically for late breach notification — took over a month past the 60-day deadline. Demonstrates that notification timing alone can trigger penalties.
The breach notification rule only applies to "unsecured" PHI. HHS defines secured PHI as data that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals through encryption or destruction. If your PHI is encrypted using a process consistent with NIST Special Publication 800-111 (for data at rest) or NIST Special Publications 800-52, 800-77, or 800-113 (for data in transit), and the encryption key has not been compromised, the breach notification requirements do not apply.
This is the single most powerful protection you can implement. A stolen laptop with full-disk encryption is not a reportable breach. An intercepted email with properly encrypted PHI is not a reportable breach. Encryption converts potential six-figure penalties into non-events.
Record the date, time, nature of the incident, and who discovered it. The 60-day clock starts on the date the breach is discovered or should have been discovered through reasonable diligence.
Engage your privacy officer, legal counsel, IT security, and communications lead. If you use an outside incident response firm, contact them immediately.
Identify what PHI was involved, how many individuals are affected, and whether the data was encrypted. Conduct the four-factor risk assessment.
Stop the unauthorized access, recover any improperly disclosed data if possible, and remediate the vulnerability that caused the breach.
Based on your risk assessment, determine whether notification is required and to whom (individuals, HHS, media, state attorneys general).
Draft notification letters that include: a description of the breach, the types of information involved, steps individuals should take, what you are doing in response, and contact information for questions.
File through the HHS breach portal. For breaches of 500+, submit within 60 days. For smaller breaches, log and submit in your annual report.
Maintain records of your risk assessment, notification decisions, and all communications for at least six years. This documentation is your defense in any subsequent OCR investigation.
You must notify affected individuals within 60 days of discovering the breach. HHS must be notified within 60 days for breaches affecting 500+ individuals, or annually for smaller breaches.
A security incident is any attempted or successful unauthorized access. A breach is specifically the improper acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. Not every incident is a breach.
Yes. If PHI is encrypted per NIST standards and the key is not compromised, it is considered 'secured' and notification is not required. This is the encryption safe harbor.
Penalties range from $100 to $50,000 per violation. Presence Health paid $475,000 specifically for notifying more than a month past the 60-day deadline.
Yes. Business associates must notify the covered entity within 60 days of discovering a breach. The covered entity is then responsible for individual and HHS notification.
The notice must describe the breach, the types of PHI involved, steps the individual should take, what you are doing to investigate and mitigate, and contact procedures for questions.
It evaluates: (1) nature and extent of PHI involved, (2) who the unauthorized person was, (3) whether PHI was actually acquired or viewed, and (4) extent of risk mitigation. Low probability of compromise may eliminate the notification requirement.
Take our free HIPAA compliance assessment to identify gaps in your breach notification readiness before an incident occurs.
Start Free Assessment