The HIPAA rule requiring covered entities and business associates to provide notification following a breach of unsecured protected health information.
The Breach Notification Rule, codified at 45 CFR 164.400-414, establishes the requirements for notifying affected parties when a breach of unsecured protected health information (PHI) occurs. This rule applies to both covered entities and their business associates, ensuring transparency and accountability when health data is compromised. The rule was strengthened by the HITECH Act and further refined through subsequent rulemaking to create clear, enforceable notification obligations.
The rule requires three types of notification depending on the scale of the breach. Individual notification must be provided to each affected person within 60 days of discovering the breach, delivered by first-class mail or email if the individual has agreed to electronic communication. For breaches affecting 500 or more individuals in a single state or jurisdiction, prominent media outlets must also be notified within 60 days. Additionally, the Secretary of HHS must be notified: for breaches affecting 500 or more individuals, notification must occur within 60 days; for smaller breaches, an annual log must be submitted within 60 days after the end of the calendar year.
Failure to comply with the Breach Notification Rule can result in substantial penalties under the HIPAA Enforcement Rule, ranging from $100 to $50,000 per violation with annual maximums up to $1.5 million per violation category. Beyond financial penalties, breaches affecting 500 or more individuals are publicly posted on the HHS "Wall of Shame," creating significant reputational damage. Organizations can avoid triggering the Breach Notification Rule entirely by ensuring PHI is properly secured through encryption or destruction methods approved by HHS, as secured PHI is exempt from notification requirements even if it is accessed without authorization.