Summary of the HIPAA Breach Notification Rule

45 CFR § 164.530

A summary of the HIPAA Breach Notification Rule can help covered entities and business associates ensure that their policies and procedures for responding to a breach of PHI comply with the requirements of HIPAA and the requirements of state breach notification laws when the state laws have shorter notification period than HIPAA.  

The Health Insurance Portability and Accountability Act of 1996 is an important legislation to the healthcare sector, yet a lot of healthcare companies and insurance companies are not aware of their HIPAA obligations, particularly those concerning the HIPAA Breach Notification Rule. There has been substantial criticism of healthcare companies and insurance agencies lately concerning the speed at which persons impacted by data breaches are alerted that their medical and personal data have been stolen, lost or exposed to an unauthorized person. That said, and considering the increase in the volume of HIPAA data breaches recently, a summary of the essential aspects of the HIPAA Breach Notification Rule is necessary. It can help healthcare companies know how to respond swiftly to data breaches and remain HIPAA-compliant.

HIPAA Rules establish standards that healthcare organizations and other covered entities are required to follow so as to cut down the risk of patient data exposure; nevertheless despite having the most advanced data security programs, it is not impossible for unauthorized people to gain access to computer systems. Just think about the ’recent hack of the Pentagon’s Twitter account which shows that no entity is immune to attack. If your company has experienced a data breach, the measures that need to be taken is determined by the nature of data exposed and the number of folks affected.

For Breaches Impacting Over 500 Individuals

If a data breach happens which compromises the PHI of over 500 people, the Department of Health and Human Services’ Office for Civil Rights should be notified “without unreasonable delay”, and must be done within 60 days of knowledge about the breach. Submission of the report must be made using the OCR Breach reporting web portal. All affected individuals should also receive Breach Notification letters.

Issuing Breach Notification Via the Media

A notable media source in the state in where the victims live should be informed of  data breaches impacting over 500 people, and that notice should be issued in 60 days from the discovery of the data breach.

Publishing Breach Information on the Provider’s Web Portal

Although it is not compulsory to post details about the breach on the organization’s website for all data breaches, if over 10 people cannot be reached because of incomplete contact details or if the contact information is outdated, a notice should be posted conspicuously on the organization’s website for 90 days. In case the organization does not choose this method of notification, it must publish the breach information using major print and broadcast media. The published material must include a Toll free telephone number to make it possible for breach victims to contact the organization for more information.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

For Breaches Impacting Less than 500 Individuals

Data breaches affecting under 500 people require issuance of notifications to all affected people without unreasonable delay within 60 days from the discovery of the data breach. There is no need to inform the media of these small-scale data breaches, even if Social Security numbers and healthcare patient data have been compromised.

The Department of Health and Human Services’ Office for Civil Rights should be informed of all below-500-record data breaches within 60 days from the beginning of the new calendar year. For example, data breaches happening on January 1 does not have to be submitted to the OCR until March 2nd of next year.

For Data Breaches that Business Associates are Responsible For

Any Business Associate that finds out they are accountable for a breach of PHI should alert the covered entity regarding the incident within 60 days following the discovery of the breach. Attempts must be made to determine the people impacted along with the information that was exposed in the incident.

Issuance of Breach Notification Letters

If a breach does take place, all covered entities, which include their Business Associates, are obligated to inform all affected people that their PHI has been disclosed, whether it was as a result of a hacking episode, a missing laptop or mobile phone, or any other gadget that had unencrypted PHI. Paper records, x-ray filsm and other physical records of PHI are also covered by the HIPAA Breach Notification Rule. The loss, thievery or disclosure of these physical records also calls for the notification of the affected individuals.

Breach notification letters should be sent using first class mail, even though in instances where people have consented to receive communications through email, this is an appropriate way of communication. The notification letters ought to contain details such as the information that was most likely compromised, a description of what the company did in response to the data breach, information about the attempts made to offset harm or loss and the steps that could be taken by the affected individuals to minimize risk.

The healthcare service provider, Health Plan, Business Associate or other HIPAA covered entity must send breach motification letters if there is a potential risk that PHI has been viewed, or has been potentially viewed. Breach notification letters may be sent without taking a risk assessment first, though the choice not to send notification letters must only be made after a thorough risk assessment. The risk assessment should include these points:

  • The type of data compromised and the probability of identifying a patient or plan member based on the data
  • The individual who has viewed the data and have disclosed the information
  • The likelihood of PHI being accessed, read and/or shared
  • The level to which any possible damage has been mitigated

In case a portable gadget or desktop computer is missing or stolen, it is just regarded as a HIPAA breach – and calls for breach notification letters to be issued – only if the PHI found on the device, or obtainable through it, is not encrypted. In the event of theft or loss of encrypted devices, breach notification letters must be sent only if the security key was likewise lost or stolen.

Take note that password protection is different from data encryption. In the matter of lost or stolen devices that contain password protected PHI, it is necessary to issue breach notifications.

Documenting the Actions Taken

All covered entities should keep a record of all actions taken subsequent to a data breach, as these may be needed by OCR auditors. It is required to record all details included in the breach notification letters sent to affected individuals, together with proof that they were really sent.

In case breach notification letters are thought to be not necessary, the explanation for this decision, together with proof to back it up, should be documented.

Penalties for Violating the HIPAA Breach Notification Rule

The failure to send breach notification letters up to 60 days from the discovery of a breach violates the HIPAA Breach Notification Rule and could be penalized by OCR and state attorneys general. The maximum fine for not complying with the rule is $1.5 million per violation category, per calendar year.

Although the HIPAA Breach Notification Rule says that notices should be sent within 60 days from the discovery of a breach, unnecessarily delaying the issuance of breach notifications also violates the HIPAA Breach Notification Rule and could be financially penalized. One example of this case happened in 2017. OCR pursued a case against Presense Health for unnecessarily delaying the issuance of breach notification letters. Presense Health became aware of the breach on October 22, 2013, yet OCR was notified only on January 31, 2014. Presense Health had to pay a settlement fee of $475,000.


Source of information:

About Daniel Lopez
Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through or