HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and business associates to notify affected individuals, the US Department of Health and Human Services (HHS), and—in some cases, the media following a breach of unsecured Protected Health Information (PHI). A breach is defined as the impermissible access, acquisition, use, or disclosure of PHI that compromises its privacy or security. Unless an organization can demonstrate a low probability of compromise through a documented risk assessment, the incident is presumed to be a reportable breach. The purpose of breach notification is to ensure transparency and give individuals the information they need to mitigate potential harm, such as identity theft or misuse of their health information. Determining whether an incident is a breach Not every incident involving PHI is automatically considered a breach. Organizations must conduct a risk assessment based on four required factors:

• The nature and extent of the PHI involved, including identifiers and sensitivity
• The unauthorized person who accessed or received the PHI
• Whether the PHI was actually acquired or viewed
• The extent to which the risk was mitigated, such as through prompt containment or retrieval​

Certain situations qualify as exceptions, including:

• Unintentional access by a workforce member acting in good faith
• Inadvertent disclosures between authorized individuals within the same organization
• Disclosures where the recipient could not reasonably retain the information

The rule applies only to unsecured PHI. PHI that is encrypted or otherwise secured according to National Institute of Standards and Technology (NIST) standards is considered protected and may not trigger notification requirements. Notification requirements and timelines When a breach is confirmed, HIPAA specifies how and when notifications must occur. Notification to individuals: Affected individuals must receive written notice—by mail or email—without unreasonable delay and no later than 60 days after discovery of the breach. Notices must include:

• A brief description of what happened
• The types of PHI involved
• Steps the organization is taking to investigate and mitigate the breach
• Actions individuals can take to protect themselves
• Contact information for questions or additional support

Notification to HHS: Breaches must be reported electronically to the HHS Office for Civil Rights (OCR):

• Breaches affecting more than 500 individuals must be reported within 60 days of discovery
• Breaches affecting fewer than 500 individuals may be reported annually in an aggregated submission

Notification to the media: If a breach affects more than 500 residents of a single state or jurisdiction, the organization must notify prominent local media outlets within the same 60-day window. Role of business associates Business associates have independent breach notification obligations. When a business associate discovers a breach, it must notify the covered entity without unreasonable delay, in accordance with the timelines specified in the Business Associate Agreement (BAA). Unless the BAA states otherwise, the covered entity is typically responsible for notifying individuals, HHS, and the media. Subcontractors must report breaches to the business associate above them, creating a clear chain of notification responsibility. Compliance context for modern organizations For organizations using compliance and security tooling, breach notification is closely tied to incident response and audit readiness. GRC platforms such as Sprinto or similar tools are often used to:

• Maintain centralized breach and incident logs
• Document breach risk assessments and mitigation steps
• Track discovery dates and notification deadlines
• Generate compliant notification templates
• Prepare and submit reports to HHS

Breach notification controls are frequently aligned with ISO/IEC 27001 incident response requirements in hybrid compliance programs. As enforcement activity increases and penalties rise, reaching up to $2 million per violation category per year, timely, well-documented breach handling is critical for defensibility during investigations and audits.