HIPAA Breach Notification: What You Must Do (Legal Requirements)

A breach happened. You have 60 days. Here's exactly what you must do.

This guide covers all HIPAA breach notification requirements—what, when, and how to notify.

What is a HIPAA Breach?

A HIPAA breach is the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted by HIPAA, which compromises the security or privacy of the PHI.

What Counts as a Breach?

Examples of breaches:

• Lost or stolen laptop with unencrypted PHI
• Email sent to wrong patient
• Hacking incident
• Unauthorized access to patient records
• Paper records left in public place
• Vendor breach affecting your patients

What doesn't count:

• Encrypted data that's lost (if encryption key wasn't compromised)
• Unintentional disclosure to authorized person
• Good faith disclosure that couldn't be prevented

The 60-Day Rule

You have 60 days from discovery to notify patients.

Key points:

• Clock starts when you know (or should have known) about the breach
• Not when the breach occurred
• Not when you finish investigating
• 60 days. Period.

What happens if you miss the deadline?

• Additional fines
• OCR investigation
• Reputational damage
• Legal liability

Step 1: Detect and Contain

Immediate Actions (Day 1)

What to do:

1. Detect the breach - Identify what happened
2. Contain it - Stop further exposure
3. Document it - Record when discovered, what happened
4. Assess scope - How many patients affected?

Timeline: Within 24 hours of discovery

Containment Steps

Technical containment:

• Disable compromised accounts
• Change passwords
• Isolate affected systems
• Restore from backups (if needed)

Physical containment:

• Secure physical documents
• Restrict access to affected areas
• Recover lost devices (if possible)

Step 2: Assess the Breach

Risk Assessment

Determine:

1. What PHI was involved? - Names, SSNs, medical records?
2. How many patients? - Affects notification requirements
3. Risk of harm? - Financial, reputational, or other harm?
4. Was data encrypted? - Affects breach determination

Breach Determination

Four factors to consider:

1. Nature and extent of PHI - What information was involved?
2. Person who used/disclosed PHI - Authorized or unauthorized?
3. Whether PHI was acquired/viewed - Was it actually accessed?
4. Extent of risk mitigation - What steps were taken?

Step 3: Notify Affected Patients

Patient Notification Requirements

Timeline: Within 60 days of discovery

Method: Written notice (first-class mail) or email (if patient agreed)

Content required:

1. Description of breach - What happened?
2. Types of information involved - What PHI was compromised?
3. What you're doing - Investigation, mitigation, prevention
4. What patients should do - Steps to protect themselves
5. Contact information - Who to call with questions

Notification Letter Template

Required elements:

• Clear, plain language
• Specific to the breach
• Actionable steps for patients
• Contact information
• Offer of credit monitoring (if appropriate)

Sample structure:

Dear [Patient Name],

We are writing to inform you of a security incident that may have 
affected your protected health information.

What Happened:
[Description of breach]

What Information Was Involved:
[Types of PHI]

What We're Doing:
[Investigation and mitigation steps]

What You Should Do:
[Steps for patients]

Contact Information:
[Phone, email, address]

Sincerely,
[Practice Name]

Step 4: Notify HHS OCR

OCR Notification Requirements

For breaches affecting 500+ individuals:

• Notify OCR within 60 days of discovery
• Use OCR's breach notification form
• Include all required information

For breaches affecting fewer than 500 individuals:

• Notify OCR within 60 days of the end of the calendar year
• Submit log of all breaches for the year
• Use OCR's breach notification form

OCR Notification Form

Required information:

• Practice information
• Breach description
• Number of individuals affected
• Types of PHI involved
• Steps taken to mitigate
• Patient notification status

Step 5: Notify Media (If Required)

Media Notification Requirements

When required:

• Breach affects 500+ individuals in a state or jurisdiction
• Must notify prominent media outlets serving that area
• Timeline: Within 60 days of discovery

What to include:

• Same information as patient notification
• Written in plain language
• Contact information for questions

Media outlets:

• Major newspapers
• Television stations
• Radio stations
• Online news outlets

Step 6: Document Everything

Documentation Requirements

What to document:

1. Breach discovery - When, how, who discovered
2. Breach assessment - Risk analysis, scope determination
3. Containment steps - What was done to stop breach
4. Investigation - Findings, root cause analysis
5. Notifications sent - When, to whom, method
6. Remediation - Steps taken to prevent future breaches

Why documentation matters:

• Required for audits
• Shows good faith effort
• Reduces potential fines
• Demonstrates compliance

Common Mistakes to Avoid

Mistake 1: Waiting Too Long

Problem: Waiting to finish investigation before notifying

Solution: Notify within 60 days, even if investigation is ongoing

Mistake 2: Incomplete Notifications

Problem: Missing required information

Solution: Use checklist to ensure all elements included

Mistake 3: Poor Documentation

Problem: Not documenting breach response

Solution: Document everything from day 1

Mistake 4: Not Notifying OCR

Problem: Forgetting to notify OCR for small breaches

Solution: Log all breaches and notify OCR annually

Download the Breach Response Plan

Get our complete breach response plan template with notification letters and checklists.

Prevention is Better Than Response

The best breach response is preventing breaches:

1. Encrypt all devices - Laptops, phones, tablets
2. Train your staff - On HIPAA and security
3. Use secure systems - HIPAA-compliant software
4. Monitor access - Audit logs and alerts
5. Have a plan - Breach response plan ready

HIPAA Hub helps:

• Breach response plan templates
• Notification letter templates
• Documentation tools
• Training management
• Evidence organization

Next Steps

1. Download the response plan - Be prepared
2. Review your current plan - Is it complete?
3. Train your staff - On breach response
4. Get HIPAA Hub - Automate compliance

Remember: You have 60 days. But the best time to prepare was yesterday. The second best time is now.

---

This guide is based on current HIPAA Breach Notification Rule requirements. For personalized compliance guidance, consider using HIPAA Hub.