No security program is perfect, so HIPAA assumes breaches will sometimes happen and requires a clear, prompt response. Understanding the rule before an incident occurs is what allows you to respond correctly under pressure.
What counts as a breach
Under the rule, a breach is generally the acquisition, access, use, or disclosure of protected health information in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. Not every impermissible use is automatically a reportable breach — but the rule presumes a breach has occurred unless the organization can demonstrate a low probability that PHI was compromised.
Knowing how to make and document that determination is a core part of sound HIPAA compliance, because it dictates whether and how you must notify.
The four-factor risk assessment
To determine whether an impermissible use or disclosure is a reportable breach, the rule requires a risk assessment considering at least four factors: the nature and extent of the PHI involved, including the types of identifiers; the unauthorized person who used the PHI or to whom it was disclosed; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated.
Unless this assessment shows a low probability of compromise, the incident is treated as a breach and notification obligations apply.
The encryption safe harbor
One of the most important provisions is the safe harbor for encrypted data. If PHI is encrypted to the standards specified by HHS and the encryption keys are not compromised, lost or stolen data is generally not considered “unsecured” PHI, and the breach-notification requirements do not apply. This is a major reason encryption is so strongly encouraged: it can convert a reportable breach into a non-event.
Free resource
HIPAA Compliance Kit
A practical checklist + policy starter pack to fast-track your program.
Notifying affected individuals
When a breach of unsecured PHI occurs, covered entities must notify each affected individual without unreasonable delay and no later than 60 days after discovery. The notice must describe what happened, the types of information involved, steps individuals should take to protect themselves, what the organization is doing in response, and how to ask questions. Notification is generally by first-class mail, or email if the individual has agreed to electronic notice.
Notifying HHS
Covered entities must also notify the Secretary of HHS. For breaches affecting 500 or more individuals, notice to HHS must be provided without unreasonable delay and no later than 60 days after discovery. For smaller breaches, the organization may maintain a log and notify HHS annually, within 60 days after the end of the calendar year. The size of the breach therefore changes the timing of regulator notification.
Notifying the media
For breaches affecting more than 500 residents of a state or jurisdiction, covered entities must also notify prominent media outlets serving that area, again within 60 days of discovery. Media notification ensures broad public awareness for large incidents and is one of the reasons major breaches become public quickly.
Business associate obligations
When a breach occurs at a business associate, the business associate must notify the covered entity without unreasonable delay and no later than 60 days after discovery. The Business Associate Agreement typically specifies the timing and content of this notice. The covered entity then carries out the individual, HHS, and media notifications, though responsibilities can be allocated by contract.
Building a breach response plan
Because notification timelines are tight, organizations should prepare in advance. A breach response plan defines how incidents are detected, escalated, and investigated; who conducts the four-factor risk assessment; how notifications are drafted and sent; and how the incident is documented. Pre-drafted notice templates and a clear chain of responsibility save critical days when an incident occurs.
Documentation and the burden of proof
The rule places the burden of proof on the organization. If you decide an incident is not a reportable breach, you must document the risk assessment that supports that conclusion. If you do notify, you must document the notifications made. Regulators expect to see this documentation, and inability to demonstrate a reasoned, documented decision is itself a compliance problem.
Why the Breach Notification Rule matters
The Breach Notification Rule turns transparency into a legal obligation. It ensures patients learn promptly when their information has been exposed so they can protect themselves, and it creates a powerful incentive for organizations to secure data — especially through encryption. Handling a breach correctly, with prompt notification and clear documentation, can significantly limit both regulatory exposure and reputational harm.
Detecting breaches quickly
The notification clock starts when a breach is discovered, so the speed of detection directly affects your ability to respond within deadlines. Monitoring, audit-log review, and a clear internal reporting channel help organizations discover incidents promptly rather than learning of them weeks later. The sooner a potential breach surfaces, the more time you have to investigate, assess, and notify correctly.
Mitigation and response
Once a breach is identified, prompt mitigation can reduce harm and even influence the four-factor risk assessment. Containing the exposure, recovering or remotely wiping lost devices, disabling compromised credentials, and confirming whether data was actually accessed all matter. Strong mitigation demonstrates diligence and can lower the probability that PHI was compromised.
Common breach scenarios
Most reported breaches follow familiar patterns: lost or stolen unencrypted laptops and devices, misdirected emails and faxes, hacking and ransomware incidents, improper disposal of records, and unauthorized access by insiders. Recognizing these common scenarios helps organizations target their safeguards — encryption, access controls, and training — at the failures most likely to occur.
State breach laws
HIPAA is not the only breach-notification regime. Nearly every US state has its own data-breach notification law, and these can impose additional or stricter requirements, including different timelines and triggers. When a breach involves residents of multiple states, organizations must reconcile HIPAA with the applicable state laws, which is one reason a well-prepared response plan considers the full legal landscape, not HIPAA alone.
Notification content and methods
The method and content of notification matter as much as the timing. Individual notices must be written in plain language and sent by first-class mail to the last known address, or by email where the individual has agreed to electronic notice. If contact information is insufficient or out of date for ten or more individuals, the rule requires a substitute notice, such as a conspicuous posting on the organization’s website or notice in major print or broadcast media.
Getting these details right ensures affected individuals actually receive the information they need to protect themselves, which is the entire purpose of the rule.
Learning from a breach
A breach should trigger more than notification — it should drive improvement. After resolving an incident, organizations should revisit the root cause, update their risk analysis, and strengthen the safeguards that failed. Regulators look favorably on organizations that demonstrate they learned from an incident and reduced the chance of recurrence, and the same review genuinely lowers future risk.
Treating each incident as a feedback loop — detect, respond, notify, then remediate and improve — is what turns a painful event into a stronger security posture over time. A well-rehearsed response is one of the clearest signs of mature HIPAA compliance.
Free consultation
Need help with HIPAA?
Talk to our certified compliance team — we’ve supported 200+ audits.