HIPAA Breach Notification Requirements

Updated March 2026 · HIPAA 45 CFR §§164.400–414

Breach Notification at a Glance

45 CFR §§164.400–414

Breach Notification Rule — full regulatory citation

60 days

Maximum time to notify affected individuals after discovery

500+

Threshold requiring media notification and immediate HHS report

When protected health information is compromised, the clock starts immediately. Under 45 CFR §§164.400–414, covered entities must notify affected individuals, the HHS Secretary, and — in breaches affecting 500 or more people — prominent media outlets. Missing these deadlines turns a security incident into an enforcement action.

Yet breach notification is not automatic. The Breach Notification Rule creates a rebuttable presumption: every unauthorized acquisition, access, use, or disclosure of unsecured PHI is assumed to be a breach unless your organization can demonstrate, through a documented four-factor risk assessment, that there is a low probability the PHI was compromised. This guide walks through the complete process — from initial determination to notification letters — so you can respond correctly under pressure.

What Is Considered a HIPAA Breach

Under 45 CFR §164.402, a breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. “Unsecured” means the PHI was not encrypted or destroyed in accordance with HHS guidance.

Presumed breach

A laptop containing unencrypted patient records is stolen from an employee's car. PHI was unsecured and accessed by an unauthorized party.

Not a breach

The same laptop is stolen, but the hard drive was encrypted using AES-256. Because the PHI was properly encrypted, it is “secured” and does not trigger notification.

Three Statutory Exceptions

Even when unsecured PHI is improperly accessed, the following scenarios are excluded from the breach definition:

Unintentional access by workforce member

§164.402(1)(i)

A nurse accidentally opens the wrong patient chart and immediately closes it. Access was made in good faith, within the scope of authority, and no further disclosure occurred.

Inadvertent disclosure between authorized persons

§164.402(1)(ii)

A physician emails lab results to the wrong colleague within the same covered entity. Both are authorized to access PHI.

Good-faith belief PHI cannot be retained

§164.402(1)(iii)

A misdirected fax is received by a pharmacy that immediately shreds the document. The recipient had no ability to retain the information.

Step-by-Step Response Process

When a potential breach is identified, follow this decision path. At each stage, document your analysis — OCR evaluates your process, not just the outcome.

Incident detected

Discovery clock starts — day zero. Document everything.

Is PHI involved?

If no PHI was accessed or disclosed, this is a security incident — not a breach. Document and close.

Was PHI unsecured?

If PHI was encrypted per HHS standards or properly destroyed, it is "secured" — no notification required.

Does an exception apply?

Check the three statutory exceptions: unintentional workforce access, inadvertent disclosure to authorized person, good-faith belief of no retention.

Conduct four-factor risk assessment

Evaluate nature of PHI, who received it, whether it was viewed, and mitigation. Low probability = no notification required.

Notify within 60 days

Individuals by mail, HHS via portal, and media if 500+ in one state. Document every notification sent.

The Four-Factor Risk Assessment

Before notifying, you must determine whether a reportable breach actually occurred. The Breach Notification Rule at §164.402(2) requires a documented assessment of four factors. If the assessment demonstrates a low probability the PHI was compromised, notification is not required. Document the analysis either way — OCR will ask for it.

Nature and extent of PHI involved

§164.402(2)(i)

What types of identifiers and clinical data were exposed?

Higher risk

Social Security numbers, financial data, or detailed clinical records (diagnoses, treatment plans).

Lower risk

Name only, or demographic data without clinical or financial identifiers.

Unauthorized person who used or received the PHI

§164.402(2)(ii)

Who accessed the information — and are they obligated to protect it?

Higher risk

Unknown external party, hacker, or individual with no HIPAA obligations.

Lower risk

Another covered entity or business associate already bound by HIPAA.

Whether PHI was actually acquired or viewed

§164.402(2)(iii)

Is there evidence the data was opened, read, copied, or downloaded?

Higher risk

Server logs confirm file downloads, screenshots, or data exfiltration.

Lower risk

Forensic analysis confirms the email was unopened or the device was recovered before access.

Extent to which risk has been mitigated

§164.402(2)(iv)

What steps were taken to reduce harm after the incident?

Higher risk

No mitigation possible — data posted publicly or recipient uncooperative.

Lower risk

Recipient confirmed destruction; device remotely wiped; data recovered with attestation.

Documentation is not optional

Even if you conclude no breach occurred, retain the four-factor analysis for at least six years. Use your risk assessment tool to structure and store these evaluations consistently.

Notification Timelines

The phrase “without unreasonable delay” appears throughout the Breach Notification Rule, but the hard ceiling is 60 calendar days from discovery. Discovery occurs on the first day the breach is known or, by exercising reasonable diligence, would have been known. Willful ignorance does not extend the clock.

Affected individuals

§164.404

60 calendar days

— From date of discovery

First-class mail to last known address (or email if individual has agreed). Substitute notice if contact info is insufficient or outdated.

HHS Secretary (500+ individuals)

§164.408

60 calendar days

— From date of discovery

Submit via HHS breach reporting portal. Breach appears on the public "Wall of Shame" within days of submission.

HHS Secretary (fewer than 500)

§164.408

Within 60 days of calendar year-end

— Annual log of all smaller breaches

Submit via HHS breach reporting portal. Aggregate all breaches from the prior year into a single annual report.

Prominent media outlets

§164.406

60 calendar days

— From date of discovery (500+ in a single state/jurisdiction)

Press release or direct notice to major media outlets serving the affected state or jurisdiction.

Business Associate Obligations

When a breach originates at a business associate, the BA must notify the covered entity within 60 days of discovery (§164.410). The covered entity then has its own 60-day window to notify individuals. Many BAAs contractually shorten this to 30 days or less to preserve response time.

Notification Letter Requirements

The notification letter must be written in plain language and delivered via first-class mail. Email is acceptable only if the individual previously agreed to electronic communication. The letter must include all five elements specified in §164.404(c):

Description of the breach

§164.404(c)(1)(A)

What happened, including the date of the breach and the date it was discovered. Be specific but avoid language that admits liability.

Types of PHI involved

§164.404(c)(1)(B)

List the categories of information exposed — names, dates of birth, Social Security numbers, diagnoses, treatment records, insurance IDs, etc.

Steps individuals should take

§164.404(c)(1)(C)

Protective actions such as monitoring explanation of benefits (EOBs), placing fraud alerts, requesting credit reports, or changing online portal passwords.

What you are doing about it

§164.404(c)(1)(D)

Your investigation steps, harm mitigation measures, and actions to prevent recurrence (e.g., additional encryption, workforce re-training, system patches).

Contact information

§164.404(c)(1)(E)

A toll-free phone number, email address, postal address, or website where affected individuals can ask questions. Must remain active for at least 90 days.

Substitute Notice

When contact information is insufficient or outdated, substitute notice is required:

Scenario	Required action
Fewer than 10 individuals with bad addresses	Alternative written notice, telephone, or other means
10 or more individuals with bad addresses	Conspicuous homepage posting for 90 days and toll-free hotline active for 90 days
Urgency requires faster notification	Telephone notice in addition to written notice

Breach Notification Letter Template

Replace every bracketed placeholder with your organization's details. Have legal counsel review before sending — this template covers the five required elements but your state may impose additional content requirements.

Template — HIPAA Breach Notification Letter

[Organization Name]
[Address]
[City, State ZIP]
[Date]

[Recipient Name]
[Address]
[City, State ZIP]

RE: Notice of Breach of Unsecured Protected Health Information

Dear [Recipient Name],

We are writing to inform you of an incident involving your protected health information (PHI) as required by the Health Insurance Portability and Accountability Act (HIPAA), 45 CFR §164.404.

WHAT HAPPENED
On [date of discovery], we discovered that [brief, factual description of the breach]. The incident occurred on or about [date of breach].

INFORMATION INVOLVED
The types of information that may have been affected include: [list specific types — e.g., your name, date of birth, Social Security number, medical record number, diagnosis information, health insurance information].

WHAT WE ARE DOING
Upon learning of this incident, we immediately [describe mitigation steps — e.g., secured the affected system, engaged a forensic security firm, reported the incident to law enforcement, enhanced our security measures, re-trained workforce members]. We have also reported this incident to the U.S. Department of Health and Human Services as required by federal law.

WHAT YOU CAN DO
We recommend the following steps to protect yourself:
- Monitor your explanation of benefits (EOB) statements for any unfamiliar charges
- Review your credit reports from Equifax, Experian, and TransUnion
- Consider placing a fraud alert or credit freeze on your credit files
- [If SSN was involved: We are offering [X] months of complimentary credit monitoring through [provider name]. To enroll, visit [URL] or call [phone number] by [enrollment deadline]]

CONTACT INFORMATION
If you have questions or need additional information, please contact:
[Contact name or department]
Phone: [toll-free number]
Email: [email address]
[Mailing address]

This contact line will remain active for at least 90 days.

We deeply regret this incident and are committed to protecting your information. We have taken steps to prevent a similar event from occurring in the future.

Sincerely,

[Privacy Officer Name]
[Title]
[Organization Name]

The 500-Individual Threshold

Breaches affecting 500 or more individuals trigger two additional obligations beyond individual notice. Both carry the same 60-day deadline from discovery.

HHS Secretary notification

§164.408

Submit through the HHS breach reporting portal. Once submitted, the breach is posted on the Breach Portal (commonly called the “Wall of Shame”) — a searchable public database that journalists, patients, and regulators monitor daily.

Prominent media notification

§164.406

Required when 500+ individuals reside in a single state or jurisdiction. Notification must go to prominent media outlets serving that area. There is no minimum list of outlets — use reasonable judgment based on the geographic scope.

Breaches Affecting Fewer Than 500

Smaller breaches do not require immediate HHS reporting or media notice, but you must still:

Notify each affected individual within 60 days
Maintain an internal log of every breach incident
Submit an annual summary to HHS within 60 days of calendar year-end

State laws may impose stricter rules

At least 18 states have breach notification laws with shorter timelines or lower thresholds than HIPAA. California, for example, requires notification within 15 business days for medical information breaches. Always check state requirements alongside federal rules — the stricter standard applies. Your compliance checklist should include a state-law review item.

Accidental HIPAA Breach: What to Do

Most breaches are not malicious attacks — they are accidental disclosures. A staff member emails PHI to the wrong recipient. A paper record is left in a public area. A laptop without encryption is lost. Regardless of intent, the response process is the same.

The discovery clock cannot be paused

Once a breach is known (or should have been known through reasonable diligence), the 60-day deadline begins. Internal investigation does not extend the timeline. Notify and investigate in parallel.

Contain the incident

Stop the ongoing exposure — disable compromised accounts, revoke access, isolate affected systems. Do not destroy forensic evidence.

Assemble your incident response team

Privacy officer, IT security, legal counsel, and senior leadership. Assign a single point person to coordinate communications.

Document everything from minute one

Timestamp every action. Who discovered it, when, how, what systems were involved, what PHI was potentially exposed. This becomes your investigation record.

Determine if PHI was unsecured

Check encryption status. If PHI was encrypted per HHS guidance (NIST SP 800-111) or properly destroyed, it qualifies as "secured" and notification is not required.

Run the four-factor risk assessment

Evaluate the nature of PHI, who received it, whether it was actually viewed, and what mitigation has been achieved. Document the conclusion.

Engage legal counsel

Attorney-client privilege protects your investigation. Counsel should review the risk assessment, notification letters, and regulatory submissions before they go out.

For a structured approach to incident handling, build a formal audit checklist that includes breach response procedures. Organizations with a documented incident response plan resolve breaches 37% faster on average, according to the Ponemon Institute.

Penalties for Late or Missing Notification

Failure to notify — or unreasonable delay in notifying — is itself a HIPAA violation. OCR applies the same four-tier civil monetary penalty structure:

Tier 1

Did not know and would not have known by exercising reasonable diligence

Per violation: $145 – $73,011

$2,190,294

Annual cap

Tier 2

Reasonable cause but not willful neglect

Per violation: $1,461 – $73,011

$2,190,294

Annual cap

Tier 3

Willful neglect, corrected within 30 days

Per violation: $14,602 – $73,011

$2,190,294

Annual cap

Tier 4

Willful neglect, not corrected within 30 days

Per violation: $73,011 – $2,190,294

$2,190,294

Annual cap

Penalty amounts adjusted for inflation per HHS annual updates (2026 figures). State attorneys general can pursue additional penalties.

Real-World Enforcement

Entity	Penalty	Issue
Presence Health	$475,000	Notified 101 days late (41 days past deadline)
Cottage Health	$3,000,000	Failed to conduct risk assessment after breach
Banner Health	$1,250,000	Breach affecting 2.81M individuals; inadequate response

Quick Reference Card

Breach definition: Unauthorized acquisition, access, use, or disclosure of unsecured PHI
Regulatory cite: 45 CFR §§164.400–414
Individual notification: 60 calendar days from discovery, by first-class mail
HHS notification (500+): 60 calendar days from discovery, via breach portal
HHS notification (<500): Annual log, submitted within 60 days of year-end
Media notification: 500+ in a single state → prominent media in that state
BA → CE notification: 60 days (often contractually shortened to 30 or fewer)
Assessment required: Four-factor risk assessment documented for every incident
Exceptions: Unintentional workforce access, inadvertent authorized disclosure, good-faith no-retention
Letter elements: What happened, PHI types, your steps, their steps, contact info
Substitute notice: 10+ bad addresses → homepage posting + toll-free line for 90 days
Record retention: 6 years minimum for all breach documentation

Prepare before a breach happens

Run a risk assessment to identify vulnerabilities, verify your compliance checklist is current, and ensure every business associate has a signed BAA. The organizations that survive breaches are the ones that planned for them.

Related Tools & Guides

HIPAA Risk Assessment Tool

Evaluate security risks across administrative, physical, and technical safeguards.

HIPAA Compliance Checklist

Interactive checklist covering Privacy, Security, and Breach Notification Rules.

Common HIPAA Violations

The most frequent HIPAA violations and how to prevent them in your practice.

HIPAA Encryption Requirements

Encryption standards for PHI at rest and in transit under the Security Rule.

Business Associate Agreement

Customizable BAA template with breach notification provisions.