HIPAA Breach Notification Rule: Requirements, Timelines, and Obligations

What Constitutes a Reportable Breach

Under 45 CFR Part 164, Subpart D, a breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. The presumption is that any impermissible use or disclosure is a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a four-factor risk assessment.
Those four factors are: the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the identity of the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated. All four must be evaluated and documented before an organization can conclude that an impermissible disclosure does not rise to the level of a reportable breach. This analysis must be completed in writing and retained as part of the six-year documentation requirement established under the Security Rule.
Three specific exceptions exist: unintentional access by a workforce member acting in good faith within scope of authority; inadvertent disclosure between two authorized persons at the same covered entity; and a disclosure where the covered entity has a good-faith belief that the unauthorized recipient could not reasonably have retained the information. These exceptions are narrow and must be carefully documented if relied upon.

The Three Notification Obligations

Notification to Affected Individuals

Covered entities must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of a breach. This notification must be provided without unreasonable delay and in no case later than 60 calendar days following discovery of the breach. Discovery is defined as the first day on which the breach is known, or reasonably should have been known, to any workforce member or agent of the covered entity other than the person who committed the breach.
The notification must be written in plain language and must include: a brief description of what happened, including the date of the breach and the date of discovery; a description of the types of PHI involved; steps individuals should take to protect themselves; a brief description of what the covered entity is doing to investigate the breach, mitigate harm, and protect against future incidents; and contact procedures for individuals to ask questions or learn additional information.
The default notification method is first-class mail to the individual’s last known address, or email if the individual has agreed to electronic notice. Substitute notice is permitted — via website posting, major print or broadcast media in the affected geographic area — when contact information is insufficient or out-of-date for ten or more affected individuals.

Notification to the HHS Secretary

All breaches must be reported to the HHS Secretary. The timing depends on the size of the breach. Breaches affecting 500 or more individuals in a state or jurisdiction must be reported to HHS without unreasonable delay and in no case later than 60 calendar days after discovery. These notifications are submitted electronically through the HHS breach reporting portal and result in immediate publication on the HHS “Wall of Shame” — the publicly accessible list of breaches under investigation. Breaches affecting fewer than 500 individuals may be reported to HHS on an annual basis, no later than 60 days after the end of the calendar year in which the breach was discovered. However, notification to affected individuals is still required within 60 days of discovery regardless of the breach size.

Notification to Prominent Media Outlets

When a breach affects 500 or more residents of a state or jurisdiction, the covered entity must also notify prominent media outlets serving that state or jurisdiction, again within 60 calendar days of discovery. This requirement operates independently of the HHS notification — both are required simultaneously for large breaches, not sequentially.

Business Associate Breach Notification Obligations

A business associate that discovers a breach of unsecured PHI must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. The business associate must provide the covered entity with the identification of individuals affected, to the extent possible. The 60-day clock for individual notification runs from the covered entity’s discovery — which is legally treated as the date of the business associate’s discovery if the business associate is an agent of the covered entity. This creates direct organizational liability for delays in reporting from vendors up the chain. Your BAA must specify this notification timeline explicitly, and vendor contracts should require notification to your organization within a substantially shorter window — typically 10 to 15 days — to preserve your ability to meet the regulatory deadline.

The Safe Harbor: Encryption and Rendering PHI Unusable

The Breach Notification Rule applies only to unsecured PHI. PHI is considered secured — and therefore outside the Breach Notification Rule’s scope — when it has been encrypted to a standard that renders it unusable, unreadable, or indecipherable to unauthorized individuals. HHS guidance references NIST Special Publication 800-111 for encryption at rest and FIPS 140-2 validated modules for encryption in transit as the applicable standards. Alternatively, PHI on physical media can be rendered unusable through destruction (shredding, pulverization, or incineration). This safe harbor is a core reason why organizations that invest in encryption as an addressable specification under the Technical Safeguards materially reduce their breach notification exposure.

Penalties for Breach Notification Failures

Failure to provide timely, complete breach notification is itself a HIPAA violation subject to civil monetary penalties, independent of the underlying security failure that caused the breach. The violation category depends on the level of culpability — late notification due to reasonable cause carries lower penalties than late notification resulting from willful neglect. Repeat violations and failures to address systemic notification process gaps attract the highest penalty tiers. The proposed 2025 Security Rule update would require covered entities to establish and maintain documented breach response plans, further tightening the evidentiary standard.

Building Breach Notification Readiness Into Operations

Breach notification readiness is not a legal review exercise — it is an operational capability that must be pre-built before an incident occurs. Organizations that discover they do not have current individual contact information, complete inventory of affected systems, or a functioning notification process in the 60-day window are at significant risk of compounding a security failure with a compliance failure. Armorstack’s 100+ technical experts integrate breach detection, classification, and notification workflow support across the SENTRY and VERITY practices. Our SENTRY Managed Detection and Response capability provides the continuous monitoring and incident response infrastructure that establishes the discovery date with forensic precision and generates the artifact chain required for both individual notification and HHS reporting. Combined with your risk assessment program and BAA governance, this is a complete breach lifecycle program. Explore our compliance services hub or start with the 90-Day Proof to evaluate your current notification readiness posture.