HIPAA Breach Notification Rule: A Complete Guide for Covered Entities

When protected health information (PHI) is improperly accessed, disclosed, or used, covered entities face obligations under the HIPAA Breach Notification Rule — obligations that carry hard deadlines, specific notification content requirements, and civil money penalties for non-compliance. Getting this wrong is expensive. In 2023 alone, HHS OCR imposed over $4.1 million in fines related to breach notification failures.

This guide walks through what counts as a breach, who must be notified, when, and how state law fits in.

What Qualifies as a HIPAA Breach

Under 45 CFR § 164.402, a breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI.

That definition is broad. It includes:

• A workforce member accessing a patient's records out of curiosity, without a treatment justification
• A misdirected fax or email containing PHI to the wrong recipient
• A ransomware attack that encrypts systems containing PHI
• A misconfigured cloud storage bucket exposing PHI to the public
• A vendor losing an unencrypted laptop containing PHI

However, three exceptions exist. These are situations where an impermissible disclosure is presumed not to be a breach unless the covered entity cannot demonstrate the exception applies:

Exception 1: Unintentional access by a workforce member An employee accidentally accesses PHI while performing their job duties, and there is no further use or disclosure. Example: a nurse opens the wrong patient record, immediately realizes the mistake, and closes it.

Exception 2: Inadvertent disclosure to another authorized person A disclosure of PHI from one authorized person to another authorized person within the same covered entity or organized health care arrangement, where the recipient is not reasonably able to retain the information.

Exception 3: Good faith belief that unauthorized person could not have retained the information A covered entity reasonably believes the unauthorized person who received the PHI could not have retained it. This is rarely applicable and should not be assumed without analysis.

The Presumption of Breach and the Risk Assessment

Here is where many covered entities make mistakes: unless an exception clearly applies, any impermissible disclosure is presumed to be a reportable breach. The only way to overcome this presumption is to perform a documented risk assessment demonstrating that there is a low probability that PHI was compromised.

The risk assessment must consider four factors:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
2. The unauthorized person who used the PHI or to whom the disclosure was made
3. Whether the PHI was actually acquired or viewed
4. The extent to which the risk to the PHI has been mitigated

If you cannot demonstrate low probability across all four factors, you have a reportable breach. Document everything — the analysis, who conducted it, what evidence was reviewed, and the conclusion. This documentation is your defense in an OCR investigation.

Notification Requirements: The 60-Day Rule

The most critical deadline in the Breach Notification Rule is the 60-day rule: covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after the discovery of a breach.

Discovery occurs when any workforce member (other than the person responsible for the breach) first knows or should have known of the breach. The clock starts then — not when you finish your investigation.

Notifying Affected Individuals

Individual notices must be sent by first-class mail to the last known address. Email is permitted if the individual has agreed to electronic communication. If contact information is insufficient or out of date, substitute notice is required (posting on your website for 90 days, or notice in major print or broadcast media).

The notification must include:

• A brief description of what happened, including the date of the breach and the date of discovery (if known)
• A description of the types of unsecured PHI involved (e.g., names, Social Security numbers, dates of birth, diagnosis codes)
• Steps individuals should take to protect themselves
• A brief description of what you are doing to investigate the breach, mitigate harm, and prevent future occurrences
• Contact information for affected individuals to ask questions (typically a dedicated toll-free number)

Notifying Business Associates

If a business associate discovers a breach, they must notify the covered entity without unreasonable delay and within 60 days of discovery. The covered entity's 60-day clock starts when the covered entity is notified, not when the BA discovered the breach — but only if the BA notifies the CE in a timely manner. If the BA delays unreasonably, the CE may still bear liability.

Reporting to HHS

Breaches Affecting 500 or More Individuals

For large breaches, covered entities must notify HHS contemporaneously with individual notification — meaning within 60 days of discovery. HHS publishes these on its public breach portal (commonly called the "Wall of Shame"), which is searchable by anyone.

Notification is submitted through the HHS OCR breach reporting portal at ocrportal.hhs.gov.

Breaches Affecting Fewer Than 500 Individuals

For small breaches, covered entities must maintain a log and report all breaches to HHS annually. The annual report must be submitted no later than 60 days after the end of the calendar year in which the breaches occurred. This means breaches discovered in 2025 must be reported to HHS by March 1, 2026.

Media Notification

For breaches affecting 500 or more residents of a state or jurisdiction, covered entities must also notify prominent media outlets serving that state. This requirement exists regardless of whether the affected individuals are notified directly.

State Breach Notification Laws

HIPAA preempts state law only when state law is less protective. Many states have breach notification laws that are more stringent than HIPAA in one or more ways:

• Shorter timelines: California, Florida, and several other states require notification within 30 days — half the HIPAA window. New York requires notification "in the most expedient time possible" but no later than 30 days.
• Broader definitions of personal information: Some state laws cover categories like biometric data, medical information, or login credentials that may not be PHI under HIPAA.
• Regulator notification: Many states require notification to the state attorney general, not just HHS.

Covered entities with patients or members across multiple states must track applicable state law for each affected individual. This is one of the strongest arguments for engaging legal counsel before sending breach notifications.

Penalties for Late or Missing Notification

HHS OCR has the authority to impose civil money penalties (CMPs) for Breach Notification Rule violations. Penalties are tiered:

Tier	Per Violation	Annual Cap
Did not know	$100–$50,000	$25,000
Reasonable cause	$1,000–$50,000	$100,000
Willful neglect, corrected	$10,000–$50,000	$250,000
Willful neglect, not corrected	$50,000	$1,500,000

Late notification is treated as willful neglect if HHS finds the covered entity was aware of the breach and failed to act. A 2022 settlement of $875,000 with a health system related to breach notification failures illustrates that OCR actively pursues these cases.

Building a Breach Response Process

Given the tight timelines and documentation requirements, waiting until a breach happens to figure out your process is too late. At minimum, covered entities should have:

1. A written breach response plan identifying the team (privacy officer, legal counsel, IT, communications)
2. A pre-drafted risk assessment template aligned to the four OCR factors
3. Notification letter templates (individual, media, HHS) approved by legal
4. A breach log for small incidents
5. Pre-established relationships with forensic investigators and outside legal counsel with HIPAA experience

Test your process annually with a tabletop exercise simulating a realistic scenario — a ransomware attack or a misdirected patient email are good starting points.