Under HIPAA’s Breach Notification Rule, the US Department of Health and Human Services (HHS) must be notified of all breaches of unsecured protected health information (PHI), regardless of size. However, “A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals.” Understanding the obligations a covered entity or business associate, HIPAA-regulated entities, has when a breach occurs helps these HIPAA-regulated entities know what to do and when.
The HHS defines a HIPAA breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” This includes situations where PHI is lost or stolen, accessed by an unauthorized person, or inadvertently disclosed. Determining whether a breach has occurred involves a risk assessment to evaluate the likelihood that PHI has been compromised. This assessment considers factors such as the nature and extent of the PHI involved, the unauthorized person who accessed the information, and the probability of PHI being compromised. Unless an organization can demonstrate a low probability of compromise based on a risk assessment, the incident is presumed to be a breach.
Breaches can occur in many ways, including:
Go deeper: Types of breaches
The HIPAA Breach Notification Rule requires covered entities and their business associates to notify certain parties after a breach of unsecured PHI. These parties include:
Before (and after) notifying the HHS of a (potential) data breach, there are a couple of things to consider:
Reporting timelines depend on breach size. Therefore, before notifying the HHS, organizations must determine how many individuals were affected. The number of individuals impacted dictates both the timeline and the method of reporting. As the HHS states, “If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates.”
Before notifying the HHS, healthcare organizations must ensure affected individuals are informed of the breach. Notification must occur without unreasonable delay and no later than 60 days from discovery.
Requirements for individual notifications:
The notification must include:
Go deeper: How to notify affected individuals of a breach
Read also: Managing patient communication during data breaches
After notifying the affected individuals, the HIPAA-regulated entity can notify the HHS using the HHS Breach Notification Portal
To notify HHS, organizations must use the OCR Breach Notification Portal (sometimes called the “Wall of Shame” portal).
This secure tool requires organizations to provide detailed information about the breach.
What information must be submitted?
According to HHS, “If only one option is available in a particular submission category, the covered entity should pick the best option, and may provide additional details in the free text portion of the submission. If a covered entity discovers additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, it may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after its submission of the initial breach report.”
OCR reviews these submissions to ensure compliance and may initiate investigations based on the reported information.
If a breach affects 500 or more residents of a state or jurisdiction, organizations must also notify prominent media outlets serving that area.
The notice must be provided without unreasonable delay and no later than 60 days after discovery. Moreover, it must contain the same information as the individual notices.
This requirement ensures public awareness when large-scale PHI breaches occur.
“Covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach,” says the HHS. Documentation must indicate that “all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required: (1) its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure; or (2) the application of any other exceptions to the definition of “breach.””
Read also: Guidelines for HIPAA compliant documentation and record retention
The HHS provides guidance and templates to assist covered entities in fulfilling their notification obligations. These resources include sample breach notification letters and step-by-step instructions for reporting incidents.
Failure to notify HHS of a breach can result in significant penalties. The OCR enforces compliance and can impose fines based on the level of negligence, ranging from $141 to $71,146 per violation. Prompt and thorough notification not only mitigates potential harm to individuals but also protects the organization from legal and financial consequences.
To reduce risk and ensure compliance, healthcare organizations should adopt the following best practices:
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Both covered entities and business associates are responsible for reporting breaches involving PHI under their control.
OCR may review your report and decide to investigate further. They will assess whether you complied with HIPAA requirements and may request additional documentation.