Understanding HIPAA Breach Notification Requirements
The HIPAA Breach Notification Rule (45 CFR §§164.400-414) requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI. Failing to comply can result in penalties ranging from $100 to $50,000 per violation.
What Constitutes a Breach?
A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. There are three exceptions:
- Unintentional acquisition by a workforce member acting in good faith
- Inadvertent disclosure between authorized persons within the same organization
- Good faith belief that the unauthorized person could not retain the information
The 60-Day Notification Timeline
Once a breach is discovered, the clock starts ticking:
- Day 0: Breach is discovered (or should have been discovered through reasonable diligence)
- Days 1-30: Conduct risk assessment using four-factor analysis, begin documentation
- Day 60: Deadline to notify affected individuals via first-class mail or email (if authorized)
- Day 60: Notify HHS via the breach portal at hhs.gov
- Year-end: For breaches affecting fewer than 500 individuals, submit annual log to HHS
For breaches affecting 500 or more individuals in a single state or jurisdiction, you must also notify prominent media outlets in that area within 60 days.
The Four-Factor Risk Assessment
To determine if a breach requires notification, evaluate: (1) the nature and extent of PHI involved, (2) the unauthorized person who used or received the PHI, (3) whether PHI was actually acquired or viewed, and (4) the extent to which risk has been mitigated.
Documentation Requirements
Maintain documentation of your breach risk assessment, notification letters, and remediation steps for at least six years. The OCR will request this documentation during any investigation or audit.