⚠️ January 2025 HIPAA Security Rule Updates Now in Effect
HIPAA Ready Check
HIPAA Compliance Guide

HIPAA Breach Notification Rule

Complete guide to breach notification requirements under 45 CFR 164.400-414. Learn the 60-day rule, 2025 updates to 72-hour reporting, and how to properly respond to PHI breaches.

What is a Breach Under HIPAA?

A breach is the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI.

45 CFR 164.402

A breach is presumed to have occurred unless the covered entity or business associate demonstrates through a risk assessment that there is a low probability that the PHI has been compromised.

Examples of Breaches

  • Stolen laptop with unencrypted ePHI
  • Ransomware attack encrypting patient records
  • Mailing PHI to wrong patient
  • Lost backup tape with patient data
  • Unauthorized employee snooping in records

Not Breaches (if documented)

  • Accidental disclosure to colleague who didn't look
  • Encrypted device lost or stolen
  • Good faith workforce member accessing in scope
  • Information that recipient couldn't retain

The Four-Factor Risk Assessment Test

Use this test to determine whether an impermissible use or disclosure constitutes a reportable breach.

Factor 1: Nature and Extent of PHI

Questions to Ask:

  • What types of PHI were involved (e.g., names, SSNs, diagnoses)?
  • How many individuals were affected?
  • Is the PHI sensitive (e.g., HIV status, mental health, substance abuse)?
  • How much detail was included in the disclosed information?

Key Consideration: More detailed and sensitive PHI increases the risk of harm.

Factor 2: Unauthorized Person

Questions to Ask:

  • Who is the person or entity that impermissibly accessed the PHI?
  • Are they another covered entity or business associate?
  • Do they have a legitimate need to know some health information?
  • What is their relationship to the covered entity?

Key Consideration: Disclosure to another healthcare provider poses less risk than disclosure to unknown third parties.

Factor 3: Actually Acquired or Viewed

Questions to Ask:

  • Was the PHI actually acquired or just potentially accessed?
  • Is there evidence the information was viewed or copied?
  • Was the disclosure intentional or accidental?
  • How long was the PHI exposed or accessible?

Key Consideration: Brief, inadvertent disclosures where PHI was not actually viewed pose lower risk.

Factor 4: Extent of Mitigation

Questions to Ask:

  • What actions were taken to mitigate the breach?
  • Was the information retrieved or destroyed?
  • Did the recipient agree to confidentiality?
  • What assurances were received that PHI won't be misused?

Key Consideration: Successful mitigation efforts can reduce the likelihood of harm and may exempt the incident from notification requirements.

Who to Notify and When

Once you determine a breach has occurred, you must notify individuals, HHS, and potentially media outlets.

Affected Individuals

Within 60 days of discovery

Method: Written notice by first-class mail (or email if patient agreed)

Required Content:

  • Brief description of what happened
  • Types of PHI involved
  • Steps individuals should take to protect themselves
  • What the covered entity is doing to investigate and mitigate
  • Contact procedures for questions
Department of Health & Human Services (HHS)

Breaches affecting 500+ people: within 60 days Breaches under 500 people: annually (within 60 days of year-end)

Method: Online portal submission to OCR

Required Content:

  • Number of individuals affected
  • Brief description of breach
  • Date of breach discovery
  • Types of PHI involved
  • Steps taken in response
Media Outlets

Within 60 days (only if 500+ residents of a state or jurisdiction affected)

Method: Notice to prominent media outlets serving the area

Required Content:

  • Same content as individual notification
  • Must reach affected individuals
  • Contact major newspapers, TV, radio stations
  • Document all media notifications sent

2025 Update: 72-Hour Notification

The proposed 2025 HIPAA Security Rule updates would reduce the HHS notification timeline from 60 days to 72 hours for breaches affecting 500 or more individuals. This matches GDPR requirements and reflects the urgency of modern cybersecurity incidents. Prepare your breach response procedures now to meet this accelerated timeline.

Step-by-Step Breach Response Process

Follow these steps to properly respond to a data breach incident.

1
Immediate Response

Contain the breach and prevent further unauthorized access.

Immediately upon discovery
  • Stop the unauthorized access or disclosure
  • Secure the affected systems or locations
  • Preserve evidence for investigation
  • Alert leadership and security team
2
Conduct Risk Assessment

Evaluate whether the incident constitutes a reportable breach under HIPAA.

Within 24-48 hours
  • Apply the four-factor risk assessment test
  • Document the nature and extent of PHI involved
  • Determine who accessed or acquired the information
  • Assess likelihood of re-identification
  • Evaluate whether PHI was actually acquired or viewed
3
Document Everything

Create comprehensive records of the incident, investigation, and response.

Ongoing throughout response
  • Document timeline of events
  • Record all investigative findings
  • Maintain copies of all notifications sent
  • Keep risk assessment documentation
  • Retain records for at least 6 years
4
Notify Affected Parties

Send required notifications to individuals, HHS, and media if applicable.

Within 60 days of discovery (72 hours under 2025 updates)
  • Draft notification letters with required content
  • Send individual notifications via mail or email
  • Submit breach report to HHS via portal
  • Notify media outlets if 500+ affected in one area
  • Track all notification delivery confirmations
5
Mitigate Harm

Take steps to reduce potential harm to affected individuals.

Immediately and ongoing
  • Offer credit monitoring or identity protection services
  • Provide resources for protecting personal information
  • Answer individual questions and concerns
  • Monitor for misuse of disclosed information
6
Prevent Recurrence

Implement corrective actions to prevent similar breaches.

Within 30-90 days
  • Update policies and procedures
  • Implement additional security controls
  • Conduct additional staff training
  • Review and strengthen technical safeguards
  • Update Business Associate Agreements if needed

HIPAA Regulatory References

45 CFR 164.402

Definitions - What constitutes a breach

45 CFR 164.404

Notification to individuals (60-day rule)

45 CFR 164.408

Notification to HHS

45 CFR 164.410

Notification to media (500+ in state/jurisdiction)

45 CFR 164.414

Administrative requirements and burden of proof

Frequently Asked Questions

Related Guides

Incident Response Planning

Build comprehensive incident response procedures to detect, contain, and respond to security incidents.

Risk Assessment

Conduct thorough risk assessments to identify vulnerabilities and prevent breaches before they occur.

Prepare Your Breach Response Plan

Don't wait for a breach to happen. Get expert guidance on developing an effective incident response and breach notification plan.