HIPAA Breach Notification Rule: Complete Guide (Requirements & Timeline)

A breach happened. You have 60 days. Here's everything you need to know.

This complete guide covers the HIPAA Breach Notification Rule—what it is, when it applies, and how to comply.

What is the Breach Notification Rule?

The HIPAA Breach Notification Rule requires healthcare providers to notify patients, HHS, and in some cases, the media when a breach of unsecured PHI occurs.

Key points:

• Applies to unsecured PHI only
• 60-day notification deadline for patients
• Different timelines for HHS and media
• Documentation required for all breaches

What is unsecured PHI?

• PHI that is not encrypted or destroyed
• If PHI is encrypted and encryption key is not compromised, it's not a breach
• If PHI is destroyed (shredded, burned), it's not a breach

What Constitutes a Breach?

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA that compromises the security or privacy of the PHI.

Examples of Breaches

Common breach scenarios:

• Lost or stolen laptop with unencrypted PHI
• Email sent to wrong patient
• Hacking incident
• Unauthorized access to patient records
• Paper records left in public place
• Vendor breach affecting your patients
• Employee accessing records without authorization

Exceptions (Not Considered Breaches)

These are NOT breaches:

• Encrypted data that's lost (if encryption key wasn't compromised)
• Unintentional disclosure to authorized person within same organization
• Good faith disclosure that couldn't be prevented
• Inadvertent disclosure by authorized person to another authorized person
• Disclosure where you have good faith belief that unauthorized person couldn't retain information

The 60-Day Rule

You have 60 days from discovery to notify patients.

Key points:

• Clock starts when you know (or should have known) about the breach
• Not when the breach occurred
• Not when you finish investigating
• 60 days. Period.

What happens if you miss the deadline?

• Additional OCR fines
• OCR investigation
• Reputational damage
• Legal liability

Breach Risk Assessment

Before notifying, you must assess whether the breach poses a significant risk of harm.

Four Factors to Consider

1. Nature and Extent of PHI

• What types of information were involved?
• How much information?
• How sensitive is the information?

2. Person Who Used/Disclosed PHI

• Was it an authorized person?
• Was it an unauthorized person?
• What was their intent?

3. Whether PHI Was Actually Acquired or Viewed

• Was PHI actually accessed?
• Or was it just potentially accessible?
• Can you determine if it was viewed?

4. Extent of Risk Mitigation

• What steps have you taken?
• Can you mitigate the risk?
• Have you contained the breach?

Presumption of Breach

Breach is presumed unless you can demonstrate low probability that PHI was compromised.

To overcome presumption, you must show:

• PHI was not actually acquired or viewed
• Risk of harm is low
• Mitigation steps were effective

Patient Notification Requirements

Timeline

When: Within 60 days of discovery

Method: Written notice (first-class mail) or email (if patient agreed to email)

Content Required:

1. Description of breach - What happened?
2. Types of information involved - What PHI was compromised?
3. What you're doing - Investigation, mitigation, prevention
4. What patients should do - Steps to protect themselves
5. Contact information - Who to call with questions

Notification Letter Requirements

Must be written in:

• Plain language
• Clear and understandable
• Specific to the breach
• Actionable

Must include:

• Brief description of what happened
• Date of breach (if known) and date of discovery
• Types of information involved
• Steps you're taking to investigate and mitigate
• Steps patients should take to protect themselves
• Contact information for questions

Sample Notification Letter Structure

Dear [Patient Name],

We are writing to inform you of a security incident that may have 
affected your protected health information.

What Happened:
[Description of breach, date, how discovered]

What Information Was Involved:
[Types of PHI - names, SSNs, medical records, etc.]

What We're Doing:
[Investigation steps, mitigation measures, prevention]

What You Should Do:
[Steps for patients - monitor accounts, change passwords, etc.]

Contact Information:
[Phone number, email, address for questions]

We sincerely apologize for this incident and any inconvenience it 
may cause.

Sincerely,
[Practice Name]
[Contact Information]

HHS OCR Notification Requirements

For Breaches Affecting 500+ Individuals

Timeline: Within 60 days of discovery

Method: OCR's breach notification form (online)

Required information:

• Practice information
• Breach description
• Number of individuals affected
• Types of PHI involved
• Steps taken to mitigate
• Patient notification status

For Breaches Affecting Fewer Than 500 Individuals

Timeline: Within 60 days of the end of the calendar year

Method: OCR's breach notification form (online)

Required information:

• Log of all breaches for the year
• Same information as above for each breach

Media Notification Requirements

When Required

Must notify media if:

• Breach affects 500+ individuals
• In a state or jurisdiction
• Within 60 days of discovery

What to Include

Same information as patient notification:

• Description of breach
• Types of information involved
• What you're doing
• What affected individuals should do
• Contact information

Media Outlets

Notify prominent media outlets serving the affected area:

• Major newspapers
• Television stations
• Radio stations
• Online news outlets

Breach Response Process

Step 1: Detect and Contain (Day 1)

Immediate actions:

• Detect the breach
• Contain it (stop further exposure)
• Document discovery
• Assess scope

Containment steps:

• Disable compromised accounts
• Change passwords
• Isolate affected systems
• Secure physical documents
• Recover lost devices (if possible)

Step 2: Assess the Breach (Day 2-7)

Assessment tasks:

• Determine if it's a breach
• Assess risk of harm
• Identify affected individuals
• Determine scope
• Document findings

Step 3: Notify Patients (Day 8-60)

Notification tasks:

• Prepare notification letters
• Send to all affected patients
• Track notifications sent
• Document all notifications

Step 4: Notify HHS OCR (Day 8-60 or Year-End)

Notification tasks:

• Complete OCR breach form
• Submit within deadline
• Document submission

Step 5: Notify Media (If Required) (Day 8-60)

Notification tasks:

• Identify media outlets
• Prepare media statement
• Send notifications
• Document notifications

Step 6: Document Everything (Ongoing)

Documentation tasks:

• Document discovery
• Document assessment
• Document containment
• Document notifications
• Document remediation
• Maintain for 6 years

Documentation Requirements

What to Document

Required documentation:

1. Breach discovery - When, how, who discovered
2. Breach assessment - Risk analysis, scope determination
3. Containment steps - What was done to stop breach
4. Investigation - Findings, root cause analysis
5. Notifications sent - When, to whom, method
6. Remediation - Steps taken to prevent future breaches

Why Documentation Matters

Documentation is critical because:

• Required for audits
• Shows good faith effort
• Reduces potential fines
• Demonstrates compliance
• Protects in legal proceedings

Common Mistakes to Avoid

Mistake 1: Waiting Too Long

Problem: Waiting to finish investigation before notifying

Solution: Notify within 60 days, even if investigation is ongoing

Mistake 2: Incomplete Notifications

Problem: Missing required information

Solution: Use checklist to ensure all elements included

Mistake 3: Poor Documentation

Problem: Not documenting breach response

Solution: Document everything from day 1

Mistake 4: Not Notifying OCR

Problem: Forgetting to notify OCR for small breaches

Solution: Log all breaches and notify OCR annually

Prevention is Better Than Response

The best breach response is preventing breaches:

1. Encrypt all devices - Laptops, phones, tablets
2. Train your staff - On HIPAA and security
3. Use secure systems - HIPAA-compliant software
4. Monitor access - Audit logs and alerts
5. Have a plan - Breach response plan ready

How HIPAA Hub Helps

HIPAA Hub automates breach response:

• ✅ Breach response plan templates
• ✅ Notification letter templates
• ✅ OCR notification form guidance
• ✅ Documentation tools
• ✅ Training management
• ✅ Prevention guidance

Time saved: 10-15 hours of breach response

Next Steps

1. Create breach response plan - Use templates
2. Train your staff - On breach response
3. Prepare notification templates - Have them ready
4. Document procedures - For breach response
5. Get HIPAA Hub - Automate compliance

Related Resources

• HIPAA Breach Notification Requirements
• HIPAA Compliance Guide
• Incident Response Planning

---

This guide is based on current HIPAA Breach Notification Rule requirements. For personalized compliance guidance, consider using HIPAA Hub.