HIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When

The HIPAA Breach Notification Rule — codified at 45 CFR §§164.400 through 164.414 — establishes the legal framework for how covered entities and business associates must respond when protected health information is compromised. Understanding this rule is not optional: failure to notify correctly and on time is an independent HIPAA violation that stacks on top of any penalties for the underlying breach.

What the Breach Notification Rule requires

At its core the rule requires covered entities to provide notification following a breach of unsecured PHI. The obligation has three components that must each be met: the right recipients must be notified, with the right content, within the required timeframe.

The rule applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and to business associates. Since the HITECH Act Omnibus Rule took effect in 2013, business associates are directly liable for their own HIPAA violations including breach notification failures.

The presumption standard — why notification is the default

Before the 2013 Omnibus Rule, covered entities only had to notify if a breach created a significant risk of financial, reputational, or other harm to the individual. This standard proved difficult to apply consistently and led to widespread underreporting.

The Omnibus Rule replaced it with a presumption standard: any impermissible use or disclosure of unsecured PHI is presumed to be a breach requiring notification — unless the covered entity or business associate can demonstrate through a documented four-factor risk assessment that there is a low probability the PHI was compromised.

This is a meaningful shift. The burden of proof now falls on the organization to demonstrate that notification is not required — not on OCR to prove that it is. When in doubt, the rule presumes notification is required.

What qualifies as a breach

A breach has three required elements:

1. An impermissible use or disclosure — a use or disclosure of PHI that violates the HIPAA Privacy Rule. This includes unauthorized access by workforce members, disclosures to unauthorized third parties, system intrusions, misdirected faxes and emails, and lost or stolen devices containing PHI.

2. Of unsecured PHI — PHI that has not been rendered unusable, unreadable, or indecipherable through NIST-compliant encryption or physical destruction. Encrypted PHI that is breached is generally not a notifiable breach under the encryption safe harbor.

3. That compromises the security or privacy of the PHI — assessed through the four-factor risk assessment, unless one of the three exceptions applies.

The three breach exceptions

Three narrow categories of impermissible uses or disclosures are excluded from the breach definition entirely. If an exception applies, no notification is required — but the determination and supporting facts must be documented.

Exception 1 — Unintentional acquisition by authorized workforce member

An unintentional acquisition, access, or use of PHI by a workforce member acting in good faith and within the scope of their authority, if the PHI is not further used or disclosed impermissibly.

Example: A nurse accidentally opens an email containing another patient's records, realizes the error, and closes it without reading or forwarding the content.

Exception 2 — Inadvertent disclosure between authorized persons

An inadvertent disclosure of PHI between two people who are both authorized to access PHI at the same covered entity or business associate, if the PHI is not further used or disclosed impermissibly.

Example: A physician accidentally sends a patient summary to the wrong provider within the same health system, and the recipient immediately notifies the sender and does not use or disclose the information.

Exception 3 — Inability to retain

A disclosure to an unauthorized person where the covered entity or business associate has a good-faith belief that the unauthorized person could not reasonably have retained the information.

Example: A fax containing patient records is sent to the wrong number. The covered entity immediately calls the recipient, who confirms they destroyed the fax without reading it and provides written confirmation.

The four-factor risk assessment

When no exception applies, covered entities and business associates must conduct a documented four-factor risk assessment to determine whether there is a low probability that the PHI was compromised.

Factor 1 — Nature and extent of PHI involved What types of identifiers were included? How many individuals are affected? What categories of health information were involved? PHI including Social Security numbers, financial data, or sensitive diagnoses (HIV, mental health, substance use disorder) carries higher compromise risk than PHI with fewer identifiers.

Factor 2 — Who accessed or could have accessed the PHI Is the unauthorized recipient known? What is their capacity to use the PHI harmfully? A disclosure to another covered entity carries lower risk than a disclosure to an unknown cybercriminal. A disclosure to a known individual who provides written confirmation of destruction carries lower risk than a disclosure where the recipient is unresponsive.

Factor 3 — Whether PHI was actually acquired or viewed Is there forensic or other evidence that the PHI was actually accessed — or merely that access was possible? For system intrusions, forensic analysis may be able to confirm whether data was exfiltrated versus only accessed. For physical documents, did the recipient confirm they did not read the contents?

Factor 4 — Extent to which risk has been mitigated What steps has the covered entity taken to reduce the risk of harm? Retrieval of misdirected documents, signed confidentiality agreements from unauthorized recipients, disabling compromised access credentials, and forensic containment all contribute to risk mitigation.

The outcome: If the four-factor assessment supports a conclusion of low probability of compromise, breach notification is not required — but the assessment must be documented and retained for six years. If the assessment cannot support that conclusion, notification is required.

Notification requirements — covered entities

Individual notification

Covered entities must notify each affected individual without unreasonable delay and no later than 60 days after discovery.

Method: First-class mail to the individual's last known address. Email may be used if the individual has agreed to receive electronic notices. For deceased individuals, notify the next of kin or personal representative.

Substitute notice: When contact information for 10 or more individuals is insufficient or out of date, substitute notice is required through either a conspicuous website posting for at least 90 days, or notice in major print or broadcast media in the geographic area where affected individuals likely reside.

Content required:

• A brief description of what happened, including the date of the breach and the date of discovery
• A description of the types of PHI involved
• Steps the individual should take to protect themselves
• A brief description of what the covered entity is doing to investigate, mitigate harm, and prevent future occurrences
• Contact information including a toll-free phone number active for at least 90 days

HHS notification

Breaches affecting 500 or more individuals: Report to HHS through the HHS breach portal at the same time as individual notification. These reports are made public on the HHS "Wall of Shame" and frequently trigger OCR investigations.

Breaches affecting fewer than 500 individuals: Maintain a log of smaller breaches and submit an annual report to HHS no later than 60 days after the end of the calendar year in which the breaches occurred.

Media notification

For breaches affecting 500 or more residents of a state or jurisdiction, covered entities must notify prominent media outlets serving that state or jurisdiction — without unreasonable delay and within 60 days. The content requirements are the same as for individual notification.

Notification requirements — business associates

Business associates do not notify individuals directly. Their obligation is to notify the covered entity without unreasonable delay and no later than 60 days after discovery of a breach.

The notification to the covered entity must include:

• The identity of each individual whose PHI was involved, to the extent known
• A description of the PHI involved
• A description of what happened
• Steps the business associate has taken to mitigate the breach

Check your BAA. Most BAAs impose shorter notification deadlines than the 60-day regulatory maximum — 72 hours and 30 days are common. Your contractual obligation controls where it is stricter than the regulation.

The 60-day clock — common misunderstandings

The single most common breach notification mistake is misunderstanding when the 60-day clock starts.

The clock starts on the date of discovery — defined as the date on which a covered entity's or business associate's workforce member knew or reasonably should have known of the breach. It does not start when:

• Your investigation concludes
• You confirm the full scope of the breach
• Your legal team finishes its review
• You determine that PHI was definitely accessed

If a front desk employee discovers a potential breach on Monday and does not tell the privacy officer until Friday, the clock started Monday — not Friday.

State law — an additional layer

HIPAA breach notification requirements exist alongside state breach notification laws. State laws may impose:

• Shorter notification deadlines (some states require notification within 30, 14, or even 5 business days)
• Broader definitions of personal information triggering notification
• Additional notification recipients such as state attorneys general
• Requirements to offer credit monitoring services to affected individuals

Covered entities must comply with both HIPAA and any applicable state law. Where state law is more protective than HIPAA, state law applies. Legal counsel familiar with your operating states should review your breach response procedures.

Documentation and retention

All breach response documentation must be retained for six years from the date of creation or the date it was last in effect — whichever is later.

Retain: the four-factor risk assessment and supporting evidence, copies of all notifications sent with delivery confirmation, the date and time of discovery, a complete breach response timeline, HHS portal submission confirmation, and corrective action documentation.