Plan Before You Need the Plan

HIPAA breach notification rules are specific about timelines and procedures. Understanding them before an incident occurs means you can respond calmly and correctly when every minute counts.

What Constitutes a Breach?

A breach is an impermissible use or disclosure of protected health information (PHI) that compromises the security or privacy of the information. Not every security incident is a breach — the key question is whether PHI was actually accessed or disclosed.

HIPAA presumes any impermissible access is a breach unless you can demonstrate a low probability that PHI was compromised, based on a four-factor risk assessment:

The nature and extent of the PHI involved
The unauthorized person who used or received the PHI
Whether the PHI was actually acquired or viewed
The extent to which risk has been mitigated

Notification Requirements

Individual Notice

You must notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach. Notice must be in writing (first-class mail) and include:

What happened and when
What types of information were involved
Steps individuals should take to protect themselves
What you're doing in response
Contact information for questions

HHS Notification

Breaches affecting 500+ individuals: Notify HHS within 60 days
Breaches affecting fewer than 500: May be reported annually

Media Notification

Breaches affecting 500+ residents of a state or jurisdiction require notification to prominent media outlets in that state.

The Risk Assessment

Document your four-factor risk assessment thoroughly. This documentation is your defense if HHS investigates. A well-documented assessment showing low probability of compromise can mean the difference between a reportable breach and a security incident that stays internal.

What to Do Right Now

Write your breach notification procedures before you need them
Identify who makes the breach determination (legal + privacy + security)
Pre-draft notification letter templates
Know your state-specific requirements (many states have additional notification laws)
Have contact information for HHS, your cyber insurance carrier, and legal counsel readily accessible

The 60-day clock starts ticking when you discover the breach. Time spent figuring out your notification process is time you don't have.

What Constitutes a Breach?

HIPAA presumes any impermissible access is a breach unless you can demonstrate a low probability that PHI was compromised, based on a four-factor risk assessment:

The nature and extent of the PHI involved

The unauthorized person who used or received the PHI

Whether the PHI was actually acquired or viewed

The extent to which risk has been mitigated

Notification Requirements

Individual Notice

You must notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach. Notice must be in writing (first-class mail) and include:

What happened and when

What types of information were involved

Steps individuals should take to protect themselves

What you're doing in response

Contact information for questions

HHS Notification

Breaches affecting 500+ individuals: Notify HHS within 60 days

Breaches affecting fewer than 500: May be reported annually

Media Notification

Breaches affecting 500+ residents of a state or jurisdiction require notification to prominent media outlets in that state.

What to Do Right Now

Write your breach notification procedures before you need them

Identify who makes the breach determination (legal + privacy + security)

Pre-draft notification letter templates

Know your state-specific requirements (many states have additional notification laws)

Have contact information for HHS, your cyber insurance carrier, and legal counsel readily accessible

The 60-day clock starts ticking when you discover the breach. Time spent figuring out your notification process is time you don't have.

HIPAA Breach Notification: What You Need to Know Before It Happens

Plan Before You Need the Plan

What Constitutes a Breach?

Notification Requirements

Individual Notice

HHS Notification

Media Notification

The Risk Assessment

What to Do Right Now

Related Articles

Why Your Healthcare Organization Needs a Security Risk Assessment

Ready to discuss your project?

HIPAA Breach Notification: What You Need to Know Before It Happens

Plan Before You Need the Plan

What Constitutes a Breach?

Notification Requirements

Individual Notice

HHS Notification

Media Notification

The Risk Assessment

What to Do Right Now

Related Articles

Why Your Healthcare Organization Needs a Security Risk Assessment

Ready to discuss your project?