25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

The HIPAA Breach Notification Rule

Posted By on Dec 20, 2024

The Health Insurance Portability and Accountability Act of 1996 is one of the most important pieces of legislation to affect the healthcare industry, yet many healthcare providers and insurers are unaware of HIPAA obligations, in particular those relating to the HIPAA Breach Notification Rule.

There has been considerable criticism of healthcare providers and insurance companies in recent months regarding the speed at which individuals affected by data breaches are notified that their healthcare data and personal information have been stolen, lost, or divulged to an unauthorized individual.

With this in mind, and given the rise in the number of HIPAA data breaches in recent months, we have prepared a summary of the important elements of the HIPAA Breach Notification Rule to help healthcare organizations respond quickly to data breaches and stay HIPAA-compliant.

Summary of the HIPAA Breach Notification Rule

HIPAA Rules set standards that healthcare providers and other covered entities must follow in order to reduce the chance of patient data being exposed; however, even with the most sophisticated data security systems, it is still possible for unauthorized individuals to access computer systems. One need only look at the recent hack of the Pentagon’s Twitter account to show that no organization is impervious to attack.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

If your organization has suffered a data breach, the steps that must be taken depend on the nature of the data compromised and the number of people affected:

Breaches Affecting More than 500 Individuals

If a data breach occurs that exposes the PHI of more than 500 individuals, the Department of Health and Human Services’ Office for Civil Rights must be notified “without unreasonable delay”, and certainly within 60 days of the discovery of the breach. The report should be made via the OCR Breach reporting web portal. Breach Notification letters must also be sent to all affected individuals – see the section below.

Issuing Notification of the Breach to the Media

A prominent media source serving the state in which the victims are located must be alerted to a data breach affecting more than 500 individuals, and that notice must be issued within 60 days of discovery of the breach.

Posting of Breach Details on the Company Website

While it is not mandatory to post information relating to the breach on the company website for all breaches, if more than 10 individuals cannot be contacted due to incomplete contact information or if there is out-of-date contact information, a notice must be posted prominently on the company website for a period of 90 days, or if this method of notification is not chosen, the organization must publish the information via major print and broadcast media. A toll-free telephone number must also be provided to allow breach victims to get in touch with any questions.

Breaches Affecting Fewer than 500 Individuals

Data breaches involving fewer than 500 individuals require notifications to be sent to all affected individuals without unreasonable delay, and within 60 days of the discovery of the breach. The media does not need to be informed of these small-scale data breaches, even when they involve the compromising of Social Security numbers and healthcare data.

The Department of Health and Human Services’ Office for Civil Rights must be notified of all sub-500-record data breaches within 60 days of the start of the new calendar year. I.e. data breaches occurring on January 1 would not need to be reported to the OCR until March 2nd of the following year.

Business Associates Responsible for Data Breaches

Any Business Associate that discovers they have been responsible for a breach of PHI must notify the covered entity of the incident no later than 60 days after the discovery of the breach. Efforts should be made to identify the individuals affected as well as the data that was compromised in the incident.

Issuing of Breach Notification Letters

When a breach does occur, all covered entities, including their Business Associates, are required to notify all affected individuals that their Protected Health Information has been exposed, whether it was due to a hacking incident, a lost laptop or Smartphone, or any other device that contained unencrypted PHI. The HIPAA Breach Notification Rule also applies to paper records, x-ray films, and all other physical records containing PHI. The loss, theft, or disclosure of these records also requires the affected individuals to be notified.

Breach notification letters must be sent via first class post, although in cases where individuals have agreed to receive communications via email, this is an acceptable means of communication. The notification letters – or emails – must include details of the breach, the information that was potentially exposed, a description of the actions taken by the company in response to the breach, information on the efforts made to mitigate damage or loss, and the actions which can be taken by individuals to mitigate risk.

Breach Notification letters must be sent if the healthcare provider, Health Plan, Business Associate, or other covered entity can show that there is a risk that PHI has been viewed, or could potentially be viewed. Breach notification letters can be issued without a risk assessment having first taken place, although the decision not to send notification letters should only be made after a thorough risk assessment has been performed. This must include the following points:

  • The type of data exposed and the likelihood of a patient or plan member being identified from the data
  • The person who has accessed the data and to whom they have disclosed information
  • The probability of PHI being accessed, viewed, and/or shared
  • The extent to which any potential damage has been mitigated

If a portable device or desktop computer has been lost or stolen, it is only considered a HIPAA breach – and therefore only requires breach notification letters to be sent – if the PHI contained on the device, or accessible through it, is unencrypted. In the case of loss or theft of encrypted devices, breach notification letters only need to be sent if the security key was also lost or stolen.

N.B. Password protection is not the same as data encryption. In the case of loss or theft of devices containing password-protected PHI, breach notifications will still need to be issued.

Documentation of Actions Taken

All covered entities must maintain a record of the actions taken following a breach, as these may be required by OCR auditors. The HIPAA Breach Notification Rule requires details of the breach notification letters that have been sent to be recorded, along with evidence that they have indeed been sent.

If breach notification letters are deemed not to be necessary, the reason for this decision, along with evidence to support it, must be documented.

Penalties for HIPAA Breach Notification Rule Violations

The failure to issue breach notification letters within 60 days of the discovery of a breach is a violation of the HIPAA Breach Notification Rule and can attract a penalty from OCR and state attorneys general. The maximum penalty for non-compliance is $1.5 million, per violation category, per calendar year.

While the HIPAA Breach Notification Rule stipulates notifications must be issued within 60 days of the discovery of a breach, unnecessarily delaying breach notifications is also a violation of the HIPAA Breach Notification Rule and could attract a financial penalty. The HIPAA Breach Notification Rule says notifications must be issued “without unreasonable delay.”

In 2017, OCR took the decision to pursue a case against Presense Health for delaying the issuing of breach notification letters. Presense Health discovered the breach on October 22, 2013, yet OCR was notified on January 31, 2014 – more than a month after the 60-day HIPAA Breach Notification Rule deadline had passed. Presense Health settled the case for $475,000.

Further information on the HIPAA Breach Notification Rule

More detailed information on the HIPAA Breach Notification Rule can be found on the HHS website

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist