When unsecured protected health information (PHI) is compromised, the HIPAA Breach Notification Rule sets out who must be told and how quickly. Understanding these obligations in advance is essential, because the clock starts at discovery, not when the investigation finishes.
What counts as a breach
A breach is, generally, an impermissible use or disclosure of PHI that compromises its security or privacy. The rule focuses on unsecured PHI, meaning PHI that has not been rendered unusable, unreadable, or indecipherable through methods such as encryption or proper destruction consistent with HHS guidance.
The presumption and the four-factor assessment
An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates a low probability that the PHI was compromised, based on a risk assessment of at least four factors:
- The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification.
- The unauthorized person who used the PHI or to whom it was disclosed.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk to the PHI has been mitigated.
If the assessment cannot show a low probability of compromise, notification is required. Some situations are excluded from the breach definition, such as certain good-faith, unintentional acquisitions by workforce members.
Who must be notified, and when
| Recipient | Timing |
|---|---|
| Affected individuals | Without unreasonable delay, no later than 60 days after discovery |
| HHS (Secretary) | Breaches of 500+ individuals: without unreasonable delay, within 60 days. Smaller breaches: log and report annually. |
| Media | For breaches affecting 500+ residents of a state or jurisdiction: notify prominent media outlets |
Business associates
A business associate that discovers a breach must notify the covered entity, generally without unreasonable delay and no later than 60 days after discovery. The business associate agreement should specify the details. The covered entity typically remains responsible for notifying individuals unless the parties agree otherwise.
What notices must include
Individual notices must, to the extent possible, describe what happened, the types of information involved, steps individuals should take to protect themselves, what the organization is doing to investigate and mitigate, and how to ask questions. Written notice by first-class mail (or email if the individual agreed) is the default method.
Preparing before an incident
Because the timelines are tight, organizations should prepare in advance:
- Maintain an incident response plan that includes breach assessment and notification steps.
- Predefine who conducts the four-factor assessment and who approves notifications.
- Keep template notices ready to adapt.
- Encrypt PHI so that more incidents qualify for the safe harbor.
- Document every step, including decisions that an incident was not a reportable breach.
State laws may impose additional or stricter breach notification duties, so coordinate HIPAA obligations with applicable state requirements.
When the clock starts
A frequent source of error is misjudging when the 60-day window begins. Under the rule, a breach is treated as discovered on the first day it is known, or by exercising reasonable diligence would have been known, to the organization. Knowledge of a workforce member or agent is generally imputed to the organization. This means the clock does not wait for the investigation to conclude; it starts at discovery. Notifications must be made without unreasonable delay and within the outer limit, so organizations should begin the four-factor assessment and notification preparation immediately rather than treating the deadline as a target to approach.
Substitute notice and contact information
The rule anticipates that an organization may lack current contact information for some affected individuals. When written notice cannot be delivered because contact information is insufficient or out of date, the rule provides for substitute notice, which can include posting on the organization's website for a defined period or notifying major media, along with a toll-free number, depending on how many individuals are affected. Keeping contact information reasonably current and knowing the substitute-notice options in advance helps an organization meet its obligations even when some notices bounce. As with every step, document the methods used and the reasoning, since that record is part of demonstrating compliance.