What is Breach Notification Rule?
The HIPAA Breach Notification Rule (45 CFR 164.400-414) requires covered entities and business associates to notify affected individuals, the HHS Secretary, and sometimes the media when unsecured protected health information is breached. Individuals must be notified without unreasonable delay and no later than 60 days after discovery; breaches affecting 500 or more people require prompt media and HHS notice.
This rule matters because it turns a security incident into a set of hard legal deadlines and public-facing obligations. A breach is presumed whenever unsecured PHI is acquired, accessed, used, or disclosed in a way the Privacy Rule does not permit, unless a documented four-factor risk assessment shows a low probability that PHI was compromised.
For example, a stolen unencrypted laptop holding patient records triggers individual notice within 60 days; if it affected 500 or more residents of a state, the practice must also notify prominent local media and report to HHS without unreasonable delay. Breaches under 500 are logged and reported to HHS annually. Encrypted PHI that meets HHS standards is generally not "unsecured," which is why encryption is so valuable.
Having a written incident-response and breach-notification procedure, plus notification templates and a breach log, lets you act inside the deadlines instead of scrambling. Templates accelerate readiness, but they do not prevent breaches or make you compliant on their own — you still have to detect, assess, and report incidents correctly.
Related terms: Incident Response · HIPAA Security Rule · Encryption · Protected Health Information (PHI)
Frequently asked questions
- What is the deadline to notify individuals after a breach?
- Affected individuals must be notified without unreasonable delay and no later than 60 calendar days after the breach is discovered. The clock starts when the breach is discovered, not when its full scope is confirmed.
- When do I have to notify HHS and the media?
- Breaches affecting 500 or more individuals require notice to HHS and to prominent media in the affected area without unreasonable delay (within 60 days). Breaches affecting fewer than 500 are reported to HHS in an annual log.
- Is every unauthorized disclosure a reportable breach?
- Not automatically. An impermissible use or disclosure is presumed to be a breach unless a documented four-factor risk assessment demonstrates a low probability that the PHI was compromised. Properly encrypted PHI is generally not considered unsecured.
Toolkits that cover Breach Notification Rule
HIPAA Compliance Toolkit — Medical Practices
18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.
HIPAA Compliance Toolkit — Dental Practices
18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written specifically for dental offices.
HIPAA Compliance Toolkit — Mental Health Practices
18 editable HIPAA policies written for therapists and behavioral-health practices — teletherapy security, psychotherapy-notes handling — plus the Security Risk Assessment workbook and audit evidence checklist.
Learn more in our HIPAA guide, explore the editable policy templates, or browse the full compliance glossary.