Back to articles
- 4min read - Updated Breach Notification

HIPAA Breach Notification Rule Requirements

Understanding when and how to report breaches of unsecured protected health information under HIPAA.

H
Matrix-style digital code representing a healthcare cybersecurity breach
HIPAA requires covered entities to notify affected individuals within 60 days of discovering a breach

The HIPAA Breach Notification Rule requires covered entities and business associates to notify individuals, the HHS Secretary , and in some cases the media, following a breach of unsecured PHI.

What Constitutes a Breach

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.

The Four-Factor Risk Assessment

To determine whether a breach has occurred, organisations must evaluate:

  1. The nature and extent of the PHI involved — What types of identifiers and clinical information were involved?
  2. The unauthorised person who accessed the information — Was it another covered entity or a completely unrelated party?
  3. Whether the PHI was actually acquired or viewed — Was there evidence the information was actually accessed?
  4. The extent to which the risk has been mitigated — Have steps been taken to reduce the harm?
Security team responding to a data breach incident in a healthcare organisation
The four-factor risk assessment determines whether an incident qualifies as a reportable breach

Notification Requirements

Individual Notification

Covered entities must notify affected individuals without unreasonable delay and no later than 60 days from discovery. Notifications must include:

  • A description of what happened
  • The types of information involved
  • Steps individuals should take to protect themselves
  • What the entity is doing to investigate and mitigate the breach
  • Contact information for questions

HHS Notification

For breaches affecting fewer than 500 individuals, notify HHS annually. For breaches affecting 500 or more, notify HHS within 60 days.

Media Notification

If a breach affects 500 or more individuals in a single state or jurisdiction, covered entities must notify prominent media outlets.

Exceptions

A breach does not need to be reported if:

  • The unintentional access was made in good faith by an employee and the information was not further disclosed
  • The inadvertent disclosure was to another authorised person within the same entity
  • There is a good faith belief that the unauthorised recipient would not be able to retain the information

Penalties

Failure to comply with breach notification requirements can result in significant penalties, ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category.

Best Practices

  • Develop a breach response plan before you need it
  • Train staff on breach identification and reporting
  • Maintain a breach notification log
  • Review and update incident response procedures regularly

Further Reading

H

Article by

HIPAA Guidelines Editorial Team

The editorial team at HIPAA Guidelines researches and writes authoritative guides on HIPAA compliance, privacy regulations, and healthcare data protection.

Related Articles

H
May 4, 2026 · 4min read Training & Awareness

HIPAA Training Requirements for 2026

What your workforce needs to know about HIPAA and how to build a training programme that satisfies compliance requirements.

H
HIPAA Guidelines Editorial Team
H
May 4, 2026 · 6min read Risk Assessment

How to Conduct a HIPAA Risk Assessment

Learn how to conduct a comprehensive HIPAA security risk assessment to identify vulnerabilities and protect health information.

H
HIPAA Guidelines Editorial Team