OGC
HIPAA Fundamentals

Breach Notification Rule Requirements

What constitutes a breach, how to conduct a risk assessment, notification timelines, and content requirements for individuals, HHS, and the media.

Overview of the Breach Notification Rule

The HIPAA Breach Notification Rule, added by the HITECH Act of 2009 and finalized in the Omnibus Rule of 2013, requires covered entities and their business associates to provide notification following a breach of unsecured protected health information. The Rule establishes a presumption that any impermissible use or disclosure of PHI is a breach unless the covered entity or business associate demonstrates through a four-factor risk assessment that there is a low probability the PHI has been compromised.

What Is a Breach?

Under the Breach Notification Rule, a breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Three exceptions exist that do not constitute breaches:

  • Unintentional acquisition, access, or use of PHI by a workforce member acting in good faith within the scope of authority
  • Inadvertent disclosure from one authorized person to another authorized person at the same covered entity who would not be able to retain the information
  • Reasonable belief that the unauthorized person to whom the disclosure was made would not be able to retain the information

The Rule applies only to unsecured PHI — PHI that has not been rendered unusable, unreadable, or indecipherable through encryption or destruction in accordance with HHS guidance. Properly encrypted data that is lost or stolen does not trigger breach notification obligations.

The Four-Factor Risk Assessment

To determine whether an impermissible use or disclosure constitutes a notifiable breach, covered entities must conduct a risk assessment that considers four factors:

  1. Nature and extent of the PHI involved — including the types of identifiers and the likelihood of re-identification
  2. Who accessed or could have accessed the PHI — whether the recipient was someone who would be unlikely to be able to retain or use the information
  3. Whether the PHI was actually acquired or viewed — or whether only the opportunity existed for exposure without actual access
  4. Extent to which risk to the PHI has been mitigated — such as through satisfactory assurances from the recipient that they destroyed the information without further use or disclosure

If this analysis cannot demonstrate a low probability of compromise, the incident must be treated as a breach requiring notification.

Notification to Individuals

Covered entities must notify each affected individual of a breach without unreasonable delay and in no case later than 60 calendar days following discovery of the breach. The notification must be provided in plain language and include:

  • A brief description of what happened, including the date of the breach and the date of discovery
  • A description of the types of unsecured PHI involved
  • Any steps individuals should take to protect themselves from potential harm
  • A brief description of what the covered entity is doing to investigate, mitigate harm, and prevent future breaches
  • Contact procedures for asking questions, including a toll-free telephone number, email address, website, or postal address

Notifications must generally be provided by first-class mail to the last known address of the individual. Email may be used if the individual has agreed to receive communications by email. For 10 or more individuals for whom contact information is insufficient, substitute notice must be provided through a conspicuous posting on the covered entity's website or in major print or broadcast media.

Notification to HHS

Covered entities must notify HHS of all breaches. The timing and method depend on the size of the breach:

  • Breaches affecting 500 or more individuals must be reported to HHS contemporaneously with individual notification — within 60 days of discovery.
  • Breaches affecting fewer than 500 individuals may be logged and reported to HHS annually, no later than 60 days after the end of the calendar year in which the breaches occurred.

HHS maintains a public list of breaches affecting 500 or more individuals — commonly called the "Wall of Shame."

Notification to the Media

For breaches affecting more than 500 residents of a state or jurisdiction, covered entities must notify prominent media outlets serving that state or jurisdiction. This notification must also be provided without unreasonable delay and no later than 60 days after discovery, and it must contain the same information as the individual notification.

Business Associate Obligations

Business associates must notify covered entities of breaches without unreasonable delay and no later than 60 days from discovery. The business associate must identify the individuals affected and provide any other available information required for the covered entity's notifications. The covered entity retains ultimate responsibility for providing notification to individuals and HHS.

Was this article helpful?

Related Articles

The HITECH Act and Its Impact on HIPAA

HIPAA Fundamentals

Business Associate Breach Responsibilities

Business Associates

How HIPAA Is Enforced

HIPAA Fundamentals