HIPAA Breach Notification: What to Do After a Breach

When unsecured protected health information is exposed, HIPAA presumes a breach and starts a clock the moment you discover it. Here is what the Breach Notification Rule (45 CFR 164.400-414) actually requires — the four-factor analysis, the notification matrix, and where a written procedure helps.

What counts as a breach of unsecured PHI

The HIPAA Breach Notification Rule lives at 45 CFR 164.400-414, and the word that does the heavy lifting is "unsecured." A breach, under 45 CFR 164.402, is the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by the Privacy Rule that compromises the security or privacy of that information. But the notification obligations only attach to a breach of unsecured PHI — meaning PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through a method specified in HHS guidance, principally encryption or proper destruction.

That "unsecured" qualifier creates what is commonly called the encryption safe harbor. If a stolen laptop's drive was encrypted to the standard HHS guidance describes, and the key was not also compromised, the exposed data is not "unsecured" PHI and the loss is generally not a reportable breach. The same logic applies to PHI that has been securely destroyed. This is one of the most practical reasons encryption is treated as the expected default for laptops, portable media, and PHI in transit: it can take an incident out of breach-notification territory entirely. Note that the specific encryption and destruction methodologies are set out in HHS guidance rather than in the CFR text itself, so confirm the current methods at hhs.gov.

The definition also carves out three exceptions in 45 CFR 164.402(1): an unintentional, good-faith acquisition or use by a workforce member acting within their authority; an inadvertent disclosure between two people both authorized to access PHI at the same covered entity, business associate, or organized health care arrangement; and a disclosure where the covered entity or business associate has a good-faith belief the unauthorized recipient could not reasonably have retained the information. If an event fits one of these, it is not a breach. This article is general information, not legal advice; the rule is detailed and updated over time, so verify the current text and your specific obligations at hhs.gov or with qualified counsel.

The presumption and the four-factor risk assessment

The most important structural feature of the rule is the presumption. Under 45 CFR 164.402, an impermissible use or disclosure of PHI is presumed to be a breach — and therefore notifiable — unless the covered entity or business associate demonstrates that there is a low probability the PHI has been compromised. The default is that you notify; the burden is on you to show why you should not, and 45 CFR 164.414(b) places that burden of proof squarely on the entity.

You rebut the presumption by performing and documenting a four-factor risk assessment. The four factors are: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed, as opposed to merely exposed; and (4) the extent to which the risk to the PHI has been mitigated, for example by a recipient's signed assurance of destruction. You weigh all four together to reach a defensible conclusion about the probability of compromise.

Getting the direction right matters: a low probability of compromise is what rebuts the presumption of a breach. If your honest, documented assessment cannot demonstrate that low probability, the event is treated as a breach and the notification clock applies. One clarification worth stating plainly, because the terminology collides: this four-factor breach risk assessment is a different obligation from the Security Rule risk analysis required by 45 CFR 164.308(a)(1). The Security Rule analysis is a periodic, program-wide assessment of risks to all your ePHI; the four-factor assessment is an incident-specific judgment about one particular impermissible use or disclosure. Both are required; they answer different questions.

Notifying affected individuals

Once an event is a breach of unsecured PHI, 45 CFR 164.404 requires the covered entity to notify each affected individual. The timing standard is "without unreasonable delay," and in no case later than 60 calendar days after the breach is discovered. Read that carefully: 60 days is the outer ceiling, not the target. If you can reasonably notify sooner, you are expected to. A breach is treated as discovered on the first day it is known, or by exercising reasonable diligence would have been known, to the covered entity.

The notice itself has required content. It must be written in plain language and include, to the extent known, a brief description of what happened and the date of the breach and of its discovery; the types of information involved (for example, name, Social Security number, diagnosis, or account number); the steps individuals should take to protect themselves; what the covered entity is doing to investigate, mitigate harm, and protect against further breaches; and contact procedures, including a toll-free number, email, website, or postal address.

Notice is delivered by first-class mail to the individual's last known address, or by email if the individual has agreed to electronic notice. The rule also addresses harder cases: where contact information is insufficient or out of date for ten or more individuals, you must provide substitute notice, such as a conspicuous posting on your website for 90 days or notice in major print or broadcast media, together with a toll-free number active for at least 90 days. There is also a provision allowing a law enforcement official to request a delay in notification where notice would impede an investigation.

Notifying HHS and the media

Beyond the individuals themselves, the rule sets out two further notification tracks, and the thresholds that govern them are not the same number — a point that trips up many practices. Notice to the Secretary of HHS is governed by 45 CFR 164.408, and it splits on a count of 500. For a breach affecting 500 or more individuals, you must notify HHS contemporaneously with the individual notices — without unreasonable delay and no later than 60 days after discovery. These larger breaches are also the ones that appear on the public HHS breach portal, sometimes informally called the "wall of shame."

For a breach affecting fewer than 500 individuals, the HHS notice runs on a different schedule. You log the breach and report it to HHS no later than 60 days after the end of the calendar year in which it was discovered. In practice this means maintaining a running breach log throughout the year and submitting the smaller incidents in an annual batch. The individual notices for those smaller breaches are still due within the usual without-unreasonable-delay, 60-day-from-discovery window — only the HHS reporting is deferred to the annual cycle.

Media notification, under 45 CFR 164.406, is a separate trigger with a deliberately different threshold. If a breach affects more than 500 residents of a single State or jurisdiction, the covered entity must also notify prominent media outlets serving that State or jurisdiction, again without unreasonable delay and no later than 60 days after discovery. The asymmetry is real and worth internalizing: the media test counts residents within one State or jurisdiction ("more than 500"), while the HHS contemporaneous test counts total affected individuals ("500 or more"). A breach affecting 600 people spread thinly across many states could require contemporaneous HHS notice yet trigger no media notice if no single state exceeds 500. Because these thresholds and timelines are precise, confirm the current text at hhs.gov before relying on a specific figure.

The business associate's duty to notify the covered entity

Many breaches do not happen at the covered entity at all — they happen at a vendor. When the entity that suffers the breach is a business associate (a billing company, a cloud EHR provider, an IT firm with PHI access), 45 CFR 164.410 governs what it owes the covered entity. The business associate must notify the covered entity of a breach of unsecured PHI without unreasonable delay and no later than 60 calendar days after discovering the breach.

The business associate's notice must, to the extent possible, identify each individual whose PHI was or is reasonably believed to have been involved, and provide the other information the covered entity needs to make its own notifications under the rule. In other words, the business associate is not the one notifying patients, HHS, or the media in the first instance — the covered entity carries those obligations — but the business associate has to hand over enough detail, promptly, for the covered entity to meet its own deadlines.

There is a timing wrinkle worth understanding. Whose 60-day clock starts when can depend on whether the business associate is acting as the covered entity's agent under the federal common law of agency. If it is, the business associate's discovery can be imputed to the covered entity, effectively starting the covered entity's clock earlier. This is one reason a well-drafted Business Associate Agreement often shortens the vendor's reporting window contractually — for example, requiring notice within a handful of days rather than the full 60 — so the covered entity is not left with little of its own statutory window remaining. The duty to notify exists by regulation regardless of what the contract says, but the contract is where you tune the timing in your favor.

Being ready before discovery: documentation and the burden of proof

The recurring lesson across 45 CFR 164.400-414 is that the clock starts at discovery, not at the moment you finish investigating. By the time you confirm what happened, days of your without-unreasonable-delay window may already be gone. The practices that handle breaches well are the ones that decided in advance who does what — who runs the four-factor assessment, who drafts the individual notices, who reports to HHS, who fields press inquiries — rather than improvising those roles during a live incident.

Documentation is not an afterthought here; it is a legal requirement. Under 45 CFR 164.414(b), the covered entity or business associate carries the burden of demonstrating either that all required notifications were made, or that an impermissible use or disclosure was not a reportable breach because the four-factor assessment showed a low probability of compromise. If you decide not to notify, you must be able to produce the contemporaneous risk assessment that justified that decision. "We didn't think it rose to a breach" is not a defense; the written analysis is.

This is where a pre-built breach notification procedure earns its place. The ComplianceDocs HIPAA toolkits — for medical, dental, and mental-health practices — include an editable Breach Notification Procedure alongside the broader policy set, the Security Risk Assessment workbook, and an audit-evidence checklist. The value is having the steps, the four-factor framework, the notice-content requirements, and the timelines written down and tailored to your office before an incident forces you to learn them under pressure. Be clear about what that does and does not do: a documented procedure is the readiness layer, not compliance itself. No template makes a practice "HIPAA compliant" or "certified" — there is no such certification, and OCR enforces based on whether you actually conducted the assessment, made the required notifications, and can prove it. The toolkit removes the slow part, drafting from a blank page, so your limited time goes to operating the procedure when it counts. As always, confirm the current rules at hhs.gov and consult qualified counsel for your situation.

Frequently asked questions

Is every accidental disclosure of PHI a reportable HIPAA breach?

No. The Breach Notification Rule presumes an impermissible use or disclosure is a breach, but you can rebut that presumption by documenting a four-factor risk assessment showing a low probability that the PHI was compromised. Three exceptions in 45 CFR 164.402(1) also apply — such as a good-faith, unintentional access by an authorized workforce member, or an inadvertent disclosure between two people both authorized at the same organization. And if the PHI was "secured" through encryption or destruction per HHS guidance, it is not unsecured PHI, so its exposure is generally not reportable at all. The key is that the burden is on you to demonstrate why an event is not a breach, and to document that conclusion.

How long do I have to notify individuals after a HIPAA breach?

The standard under 45 CFR 164.404 is "without unreasonable delay" and in no case later than 60 calendar days after the breach is discovered. The 60 days is an outer ceiling, not a target — if you can reasonably notify sooner, you are expected to. A breach is considered discovered on the first day it is known, or by reasonable diligence would have been known, so the clock starts at discovery, not when your investigation concludes. Building the notification steps before an incident is the practical way to avoid burning your window.

When do I have to notify HHS and the media, and are the thresholds the same?

They are different numbers, which is a common source of confusion. For HHS notice (45 CFR 164.408), a breach affecting 500 or more individuals must be reported contemporaneously with individual notice — without unreasonable delay and no later than 60 days after discovery — while breaches affecting fewer than 500 individuals are logged and reported annually, no later than 60 days after the end of the calendar year. Media notice (45 CFR 164.406) has a separate trigger: a breach affecting more than 500 residents of a single State or jurisdiction requires notifying prominent media serving that area. So the media test counts residents in one state ("more than 500"), while the HHS contemporaneous test counts total individuals ("500 or more").

What does my business associate have to do if it causes a breach?

Under 45 CFR 164.410, a business associate that discovers a breach of unsecured PHI must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery, and must provide enough detail — including, to the extent possible, the affected individuals — for the covered entity to make its own required notifications. The business associate generally does not notify patients, HHS, or the media itself; the covered entity carries those duties. Because the business associate's discovery can sometimes be imputed to the covered entity, many Business Associate Agreements contractually shorten the vendor's reporting window so the covered entity keeps enough of its own 60-day window.

Is the four-factor breach risk assessment the same as the HIPAA Security Rule risk analysis?

No — they share the word "risk" but answer different questions. The four-factor breach risk assessment (45 CFR 164.402) is incident-specific: after a particular impermissible use or disclosure, you weigh the nature of the PHI, who received it, whether it was actually acquired or viewed, and how the risk was mitigated, to decide whether the event is a reportable breach. The Security Rule risk analysis (45 CFR 164.308(a)(1)) is a periodic, program-wide assessment of risks to all the ePHI your organization holds. Both are required obligations; one is triggered by an incident, the other is an ongoing part of your security program.

Related guides: HIPAA

Toolkits that help

← All articles