Skip to main content
Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
Compliance guide · ~10 min read · Updated June 2026

The HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and business associates to notify affected individuals, the Secretary of HHS, and sometimes the media after a breach of unsecured protected health information. Individuals must be notified without unreasonable delay and no later than 60 days after the breach is discovered.

Issued by
HHS / OCR
Deadline
60 days
Citation
45 CFR 164.400
Media if
500+
See HIPAA compliance softwareWhat is HIPAA?
01 · Definition

What is the Breach Notification Rule?

The HIPAA Breach Notification Rule, codified at 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. It was strengthened by the HITECH Act and is enforced by the HHS Office for Civil Rights.

It is the third of the core HIPAA rules, alongside the Privacy Rule and the Security Rule. Where those two work to prevent incidents, the Breach Notification Rule governs what happens after one: how to decide whether an incident is reportable, and who must be told within what deadline.

02 · The trigger

What counts as a breach

A breach is, broadly, an impermissible use or disclosure of protected health information that compromises its security or privacy. The crucial nuance is the presumption: an impermissible use or disclosure is presumed to be a breach unless the organisation can demonstrate a low probability that the PHI was compromised.

The rule includes a few specific exceptions, such as certain good-faith, unintentional access by a workforce member acting within their authority, or an inadvertent disclosure between authorised people at the same organisation, provided the information is not further used or disclosed improperly. Outside those exceptions, you must run a risk assessment to rebut the presumption.

03 · The test

The four-factor risk assessment

To rebut the presumption of a breach, you assess the probability that PHI was compromised using at least these four factors, and you must document the analysis.

1 · Nature and extent of the PHI

The types of identifiers involved and the likelihood the information could be re-identified, including how sensitive it is.

2 · The unauthorised recipient

Who used the PHI or to whom it was disclosed, and whether that person has an obligation to protect it (for example, another covered entity).

3 · Whether it was acquired or viewed

Whether the PHI was actually acquired or viewed, or whether only the opportunity existed (for example, a returned laptop confirmed never accessed).

4 · Extent of mitigation

The extent to which the risk to the PHI has been mitigated, for example through assurances of destruction or confidentiality from the recipient.

If, weighing these factors, you can show a low probability that the PHI was compromised, notification may not be required, but you must keep the documented assessment to defend that conclusion.

04 · The obligations

Who to notify, and when

For a reportable breach of unsecured PHI, up to three audiences must be notified. The number of affected individuals and where they live drive which apply.

Affected individuals

Without unreasonable delay, no later than 60 days from discovery

Written notice (usually first-class mail, or email if the individual agreed) describing the breach, the PHI involved, what individuals should do, and what the organisation is doing in response.

The Secretary of HHS

Within 60 days for 500+; annually for smaller breaches

Breaches affecting 500 or more individuals must be reported to HHS without unreasonable delay and within 60 days. Breaches affecting fewer than 500 are logged and reported to HHS within 60 days of the end of the calendar year.

Prominent media

Within 60 days, for breaches of 500+ in a state or jurisdiction

If a breach affects more than 500 residents of a state or jurisdiction, the organisation must also notify prominent media outlets serving that area, in addition to the individual notices.

A business associate that discovers the breach must notify the covered entity, which generally carries the obligation to notify individuals. Settle these responsibilities in the Business Associate Agreement before an incident, not during one.

05 · A key exception

Unsecured PHI and the encryption safe harbor

The Breach Notification Rule applies only to unsecured PHI: protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorised people through a method specified in HHS guidance, principally encryption or proper destruction.

This creates a powerful incentive. If PHI is properly encrypted to the HHS standard and the decryption key was not also compromised, a breach of that data generally does not trigger notification at all. Encryption of ePHI at rest and in transit is, in effect, a safe harbor, which is one reason it is treated as a baseline even though it is technically an addressable specification under the Security Rule.

The cheapest breach to manage is the one you never have to report. Encrypting PHI to the HHS standard removes most lost-device and intercepted-data incidents from the notification obligation entirely.

06 · Response

How to comply

Six steps that turn a chaotic incident into a defensible response. Build this workflow before you need it; the 60-day clock starts at discovery, not when you finish investigating.

  1. 1

    Detect and contain

    Identify the incident, contain it, and preserve the facts: what happened, what PHI was involved, when it was discovered, and who was affected. The clock starts on discovery.

  2. 2

    Run the 4-factor risk assessment

    Assess whether the impermissible use or disclosure compromised the PHI using the four required factors. Document the analysis, the presumption is that it is a breach unless you can show a low probability of compromise.

  3. 3

    Determine notification obligations

    If it is a reportable breach, determine who must be notified, individuals, HHS, and possibly the media, based on the number of people affected and where they are.

  4. 4

    Notify within the deadlines

    Send individual notices without unreasonable delay and no later than 60 days from discovery, report to HHS on the required timeline, and notify media where the 500-resident threshold is met.

  5. 5

    Coordinate with business associates

    If a business associate discovered the breach, it must notify the covered entity, which generally carries the obligation to notify individuals. Agree these responsibilities in the BAA in advance.

  6. 6

    Document everything

    Keep the risk assessment, the notifications, and the timeline. In an investigation the burden of proof is on you to show either that notifications were made or that an exception applied.

Be ready before the clock starts
Manage breach response inside your HIPAA program.

RiskWatch keeps your HIPAA Privacy, Security, and breach-response workflows on one platform: a documented incident and risk- assessment process, BAA tracking, and the timestamped evidence trail OCR expects if a breach is investigated.

HIPAA compliance softwareThe HIPAA Security Rule
07 · Frequently asked

Breach notification, answered

The questions compliance and security teams ask when an incident hits.

What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires covered entities and their business associates to notify affected individuals, the Secretary of Health and Human Services, and in some cases the media following a breach of unsecured protected health information. It sets out what counts as a breach, how to assess whether an incident is reportable, and the deadlines and methods for notifying.
What is considered a breach under HIPAA?
A breach is generally an impermissible use or disclosure of protected health information that compromises its security or privacy. Importantly, an impermissible use or disclosure is presumed to be a breach unless the covered entity or business associate demonstrates, through a risk assessment, that there is a low probability the PHI has been compromised. Certain situations, such as good-faith unintentional access by a workforce member, are excluded.
What is the HIPAA 60-day rule?
Following discovery of a breach of unsecured PHI, a covered entity must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. The same 60-day outer limit applies to notifying HHS for breaches affecting 500 or more individuals. Business associates must notify the covered entity, also without unreasonable delay and within 60 days.
What is the 4-factor risk assessment?
When an impermissible use or disclosure occurs, the organisation must assess the probability that PHI has been compromised using at least four factors: (1) the nature and extent of the PHI involved, including identifiers and likelihood of re-identification; (2) the unauthorised person who used the PHI or to whom it was disclosed; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. If the assessment shows a low probability of compromise, notification may not be required.
When do you have to notify the media of a HIPAA breach?
Media notification is required when a breach of unsecured PHI affects more than 500 residents of a single state or jurisdiction. In that case, in addition to notifying the affected individuals, the covered entity must notify prominent media outlets serving that state or jurisdiction, without unreasonable delay and no later than 60 days after discovery.
What is the difference between a breach of 500 or more and fewer than 500?
For breaches affecting 500 or more individuals, the covered entity must notify HHS without unreasonable delay and within 60 days, notify the affected individuals, and notify prominent media if 500+ are in one state or jurisdiction. These larger breaches are also posted publicly on the HHS breach portal. For breaches affecting fewer than 500 individuals, the covered entity still notifies the individuals but reports to HHS via an annual log within 60 days after the end of the calendar year.
What is unsecured PHI?
Unsecured PHI is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorised persons through a technology or methodology specified by HHS guidance, primarily encryption or proper destruction. The Breach Notification Rule applies to breaches of unsecured PHI. If the PHI was properly encrypted (and the key was not also compromised), a breach of that data generally does not trigger notification, which functions as a safe harbor.
Who is responsible for breach notification, the covered entity or the business associate?
A business associate that discovers a breach must notify the covered entity, generally without unreasonable delay and within 60 days. The covered entity is then typically responsible for notifying the affected individuals, HHS, and the media. The two can agree in the Business Associate Agreement that the business associate will make notifications on the covered entity's behalf, but the covered entity remains accountable for ensuring they happen.
Primary references
From incident to defensible response

Build breach response into your HIPAA program.

A documented incident and risk-assessment workflow, BAA tracking, and a timestamped audit trail across HIPAA's Privacy, Security, and Breach rules. 30-day free trial, no credit card.

See HIPAA compliance softwareWhat is HIPAA?

No credit card required · 30-day free trial · Cancel anytime

Request a Demo