News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update

Data Breach

HIPAA Breach Notification Overview

TL;DR

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media within 60 days of discovering a breach of unsecured PHI. See our complete Breach Notification Rule guide for full coverage of all requirements.

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media within 60 days of discovering a breach of unsecured PHI. See our complete Breach Notification Rule guide for full coverage of all requirements.

Overview of the HIPAA Breach Notification Rule — what triggers notification, who must be notified, and when. See our complete guide for full coverage.

medcomply.ai editorial teamPublished May 11, 2026Updated May 11, 20261 min read

The HIPAA Breach Notification Rule requires covered entities and business associates to provide notification when unsecured Protected Health Information is breached.

We have published a complete guide to the HIPAA Breach Notification Rule covering the breach definition, four-factor risk assessment, all notification requirements, and deadlines. Read the full guide for complete coverage.

For complete coverage of all Breach Notification Rule requirements see our full guide: Understanding the HIPAA Breach Notification Rule.

Quick reference

Who must notify: Covered entities notify individuals, HHS, and media. Business associates notify the covered entity.

Deadline: 60 days from date of discovery — not from when your investigation concludes.

Presumption: Any impermissible use or disclosure of unsecured PHI is presumed to be a breach unless a four-factor risk assessment demonstrates low probability of compromise.

Threshold for immediate HHS reporting: 500 or more individuals affected.

Threshold for media notification: 500 or more residents of a state or jurisdiction.

For the complete analysis of each requirement including the four-factor assessment, all notification content requirements, business associate obligations, and state law considerations, see our complete Breach Notification Rule guide.

Sources & citations

  • 45 CFR §§164.400-414 — Breach Notification RuleOpen

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

Where can I find the complete HIPAA breach notification guide?
See our complete guide: Understanding the HIPAA Breach Notification Rule — covering the breach definition, four-factor risk assessment, all notification requirements, and timelines.

Related intelligence

Data Breach

How to Respond to a HIPAA Breach — A Step-by-Step Guide

12 min read

Data Breach

HIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When

10 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.