← Back to Blog

Hipaa Breach Notification Rule Explained

JW
Jennifer Walsh Healthcare Compliance Officer
March 31, 2026 · 7 min read

HIPAA Breach Notification Rule: A Plain-English Guide

When a HIPAA breach happens at your practice, the clock starts ticking — and the decisions you make in the first hours and days matter enormously. The HIPAA Breach Notification Rule sets out exactly what you must do, who you must notify, and when. This plain-English guide explains the rule for dental offices, medical clinics, therapy practices, pharmacies, and other small healthcare organizations.

What Is the HIPAA Breach Notification Rule?

The Breach Notification Rule (45 CFR Part 164, Subpart D) requires covered healthcare entities to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media when there is a breach of unsecured protected health information (PHI).

The rule was finalized as part of the HITECH Act and has been in effect since 2009. It applies to all covered entities — including small practices — and to their business associates, who must notify the covered entity of any breach they cause or discover.

What Counts as a HIPAA Breach?

Under the rule, a breach is an unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of that information.

That definition is intentionally broad. Common examples of events that may constitute a breach include:

  • An email containing patient records sent to the wrong recipient
  • A laptop containing unencrypted patient data that is lost or stolen
  • A ransomware attack that encrypts or exfiltrates ePHI
  • A staff member accessing patient records without a treatment, payment, or operations reason
  • A fax sent to the wrong number containing patient information
  • A patient portal account accessed without the patient's authorization
  • Paper records accidentally disposed of without shredding

What makes something a breach isn't just that it happened — it's whether the information was "compromised." HIPAA presumes a breach has occurred unless you can demonstrate through a four-factor risk assessment that there is a low probability that the PHI was actually compromised.

The Four-Factor Risk Assessment

Before you can determine whether an incident rises to the level of a reportable breach, you must conduct a risk assessment evaluating:

1. The Nature and Extent of the PHI Involved

What types of information were exposed? Clinical diagnoses, financial information, and Social Security numbers create higher risk than appointment dates or general contact information. How many individuals' data was affected?

2. Who Accessed or Could Have Accessed the Information

Did a known, trustworthy individual accidentally receive the information? Was it exposed publicly online? Was it accessed by a competitor or malicious actor? The identity and likely intent of the recipient matters.

3. Whether the PHI Was Actually Acquired or Viewed

In some cases, an unauthorized disclosure occurs but there's evidence the data was never actually accessed. A misdirected fax received by a business who immediately confirms they destroyed it without reading presents lower risk than a breach to an unknown party.

4. The Extent to Which Risk Has Been Mitigated

Have you retrieved the information? Did the recipient sign a statement that they destroyed the records? Has the threat been neutralized?

If this risk assessment supports a low probability of compromise — and you can document that conclusion — the event is not a reportable breach. If the assessment is ambiguous or supports a higher probability, treat it as a breach and begin the notification process.

The 60-Day Deadline for HHS Notification

For breaches affecting fewer than 500 individuals, covered entities must notify HHS within 60 days of the end of the calendar year in which the breach was discovered. In practice, this means you log smaller breaches and submit them in a batch to HHS annually, no later than March 1 for breaches discovered in the prior calendar year.

For breaches affecting 500 or more individuals in a single state or jurisdiction, the rules are more demanding:

  • Notify affected individuals without unreasonable delay and no later than 60 calendar days from the date the breach was discovered
  • Notify HHS simultaneously (within the same 60-day window)
  • Notify prominent media outlets serving the affected area if 500 or more residents of a single state are affected

The 60-day clock starts when you discover the breach — not when you finish investigating it. "Discovery" means the first day you knew or should have known the breach occurred.

How to Notify Affected Individuals

Individual notification must be provided in written form, either by first-class mail or email (if the individual has agreed to electronic communication). When contact information is out of date or insufficient, substitute notice through your website or media outlets may be required.

The notification must include:

  • A brief description of what happened, including the date of the breach and the date of discovery
  • A description of the types of unsecured PHI involved
  • Steps individuals should take to protect themselves (credit monitoring recommendation if financial information was involved, for example)
  • A brief description of what you are doing to investigate, mitigate harm, and prevent future breaches
  • Contact information for individuals to ask questions or learn more (typically a toll-free number, email address, or mailing address)

What Business Associates Must Do

If your business associate (a billing company, EHR vendor, cloud storage provider, etc.) causes or discovers a breach, they must notify your practice without unreasonable delay and no later than 60 days from their discovery. From that point, the 60-day notification clock for your practice begins.

This is one of the reasons Business Associate Agreements matter — they must contain provisions requiring the business associate to report breaches promptly and cooperate with your response.

Common Breach Notification Mistakes

Waiting too long to investigate. Every day of delayed investigation is a day off the 60-day notification clock. Assign someone to lead the investigation immediately when an incident is discovered.

Assuming small incidents aren't reportable. A misdirected email with one patient's name and appointment time may or may not be reportable — but it requires a documented risk assessment either way, not a judgment call made informally.

Failing to document the risk assessment. Even if you determine an incident is not a reportable breach, you must document that determination and the four-factor risk assessment that supports it. Undocumented determinations offer you no protection if the incident later comes to light.

Missing the smaller-breach annual deadline. Many practices correctly notify for large breaches but forget about the annual reporting requirement for smaller incidents. Log all potential breaches when they occur, not at year-end.

Not notifying business associates of their obligations. If your practice discovers a breach caused by a vendor, confirm immediately whether they are aware and whether they have begun their own notification obligations under their BAA.

Building a Breach Response Plan Before You Need One

The worst time to figure out your breach response process is after a breach has occurred. Before an incident happens, your practice should have:

  • A designated privacy officer and security officer (can be the same person in a small practice) with clear incident response authority
  • A written breach response procedure that your team has reviewed
  • A contact list for legal counsel, your HIPAA compliance resource, and HHS
  • A log for recording potential incidents and the risk assessments conducted
  • Your HHS Web Portal login credentials (OCR's online reporting system) already set up

How HIPAAGuard Streamlines Breach Response

Responding to a potential HIPAA breach is stressful. HIPAAGuard takes the guesswork out of the process with built-in breach determination checklists that walk you through the four-factor risk assessment, incident logging that creates a timestamped record from the moment of discovery, and notification templates pre-formatted to meet HIPAA's content requirements.

You'll also have a complete audit trail showing exactly when you learned of the incident, what you determined, and what actions you took — the documentation that protects your practice if OCR investigates.

Don't improvise your breach response. Set up HIPAAGuard now so your incident response process is ready before you need it. A few minutes of preparation today is far less painful than a scrambled 60-day response window tomorrow.