The HIPAA breach notification rule is a key component of the U.S. health privacy framework. It sets clear expectations for how organizations handle incidents that involve protected health information (PHI). For covered entities such as healthcare providers, health plans, and health care clearinghouses—and for their business associates who handle PHI on their behalf—the rule defines when a breach has occurred, who must be notified, and the timelines and content required for those notices. This guide explains the rule in practical terms, with a focus on what it means in day-to-day operations and how to build a compliant, trusted response process.

What counts as a breach under the rule?

A breach is generally an impermissible acquisition, access, use, or disclosure of PHI that compromises the privacy or security of the information. Not every incident qualifies as a breach. For example, when PHI is unintentionally accessed or disclosed by a workforce member within the same organization, or disclosed to another person who is authorized to access PHI and the information is not further used or disclosed in a manner that would violate the Privacy Rule, it may fall outside the breach definition. The distinction matters because it determines whether the entity must follow breach notification procedures.

Over time, the rules around breach definitions have evolved, particularly with the Omnibus Final Rule. That change reinforced the need for a careful risk assessment after a potential incident to determine whether PHI was actually compromised and how serious the risk is for those affected.

Who must comply and what does that mean in practice?

Covered entities and business associates are responsible for implementing breach notification requirements. A covered entity is any organization that handles PHI and is subject to the HIPAA Privacy, Security, and Breach Notification Rules. A business associate is a person or organization that performs functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. Even subcontractors and vendors who have access to PHI can fall under breach notification obligations if they experience a breach.

• Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach.
• Business associates must provide breach notices to the covered entity they serve, who then takes the required steps to notify individuals and regulators as applicable.
• In some cases, the breach also triggers notifications to the Department of Health and Human Services (HHS) and, if the breach involves a large number of people, to the media.

Timelines for notification

The rule sets specific timelines for different audiences in response to a breach:

• Affected individuals: Notice must be provided without unreasonable delay and no later than 60 days after discovery of the breach. Discovery is the date on which the covered entity (or business associate) actually learns of the breach, not the date the breach occurred.
• Department of Health and Human Services (HHS): If a breach affects 500 or more individuals, the entity must notify HHS without unreasonable delay and in no case later than 60 days after discovery. For breaches affecting fewer than 500 individuals, the entity must maintain a log and submit an annual report to HHS after the end of each calendar year.
• Media: If a breach affects more than 500 residents of a single state or jurisdiction, notice must be provided to prominent media outlets serving that jurisdiction within 60 days after discovery.

These timelines are intended to ensure that individuals receive timely information about risks to their PHI and that responsible organizations provide transparency to regulators and, when appropriate, to the public.

What information must be included in the notices?

Notifications to individuals should include:

• A description of what happened and the types of PHI involved
• Dates of the breach or the period during which the breach occurred
• Steps individuals can take to protect themselves from potential harm
• A description of actions the organization has taken or will take to reduce the risk of further harm
• Contact information for the organization’s privacy or security official

When notices are sent to the HHS or the media, the information is typically summarized and focused on the scope of the breach, the affected population, and the steps being taken to mitigate risk. The goal is to provide clear, actionable information without disclosing unnecessary PHI.

How notices are delivered

Delivery methods depend on what contact information is available and what individuals have consented to. Common approaches include:

• First-class mail to the affected individuals
• Electronic notice if the individual has agreed to electronic communications
• Phone outreach in certain high-risk cases where timely information is critical

For notices to the media and the public, the format is typically a press release or a public notice designed to reach a broad audience. Organizations may also post breach information on their public websites or through other official channels as appropriate.

Content and content limitations

Beyond the required elements, notices should avoid unnecessary PHI exposure. The emphasis is on transparency while protecting individuals’ privacy. Organizations should also provide practical steps for identity protection, such as monitoring options, fraud alerts, and contact information for credit bureaus or relevant authorities when PHI exposure could enable identity theft or other harm.

What constitutes an exception or safe harbor?

Not all disclosures are deemed breaches. The rule recognizes certain exceptions, such as incidental disclosures that occur while sharing PHI for treatment, payment, or health care operations, or disclosures among covered entities and their workforce members who are acting within the scope of their duties. The key is that the PHI should not be used or disclosed in ways that would violate the Privacy Rule, and reasonable safeguards should be in place to limit the scope of the disclosure. In practice, this means that organizations must balance the need to share information for legitimate health care purposes with the obligation to protect individuals’ PHI.

Who bears the risk and what are the penalties?

Enforcement rests with HHS Office for Civil Rights (OCR). When breaches occur due to violations of HIPAA requirements, penalties can follow, with seriousness depending on factors such as intent and the level of negligent conduct. The penalties can escalate based on the organization’s prior history and the steps taken to mitigate risk. In recent years, the enforcement framework has emphasized timely, comprehensive breach communication and robust risk management practices. For organizations, this makes a well-prepared breach response plan more than a compliance checkbox—it becomes a core component of patient trust and operational resilience.

Practical steps to build a compliant breach response program

1. Conduct a current state assessment of PHI inventory, data flows, and the places where PHI is stored or transmitted. Know where PHI is at rest and in transit.
2. Develop or refresh a breach response playbook that defines roles, escalation paths, and steps for containment, investigation, and notification.
3. Implement or strengthen encryption and access controls to reduce risk. Ensure that unsecured PHI is minimized and that lost or stolen devices or media are encrypted or securely retrievable.
4. Establish a breach notification policy that aligns with the rule’s timelines and notification content requirements. Include templates to speed response while ensuring accuracy and consistency.
5. Train staff and contractors. Regular awareness training helps reduce incidents and improves the speed and quality of the response when a real breach occurs.
6. Maintain a breach log that records the incident, discovery date, scope, and actions taken. This log supports timely reporting to HHS and, where required, to the media.
7. Contractually require business associates to have breach notice obligations that mirror those of the covered entity. Include breach notification expectations in vendor agreements.

Practical examples and scenarios

Consider these common scenarios and how the breach notification rule would apply:

• A clinician sends an email containing PHI to the wrong recipient. If the recipient is not authorized to view the PHI, and the information is not further used, it may be a breach. The organization would assess risk and, if it is deemed a breach, begin the required notification process.
• A mailing system error results in PHI being misprinted and mailed to the wrong household. The breach notification applies if the exposed PHI could reasonably cause harm, and the organization would notify each affected individual and report to HHS as required.
• A portable device with PHI is lost. If the data on the device is unencrypted and the risk assessment finds a meaningful risk of harm, notices would be issued to affected individuals and, depending on the numbers, to HHS and the media.

These examples illustrate why a proactive risk assessment and a tested response plan are essential. The goal is to identify real risk quickly and communicate clearly to those who may be affected.

Updates you should know

The HIPAA breach notification rule has evolved through the Omnibus Final Rule, with a focus on clarifying breach definitions, strengthening risk assessments, and aligning enforcement practices. As practices adopt new technologies—cloud storage, telehealth, and mobile devices—the need for a robust, documented breach response increases. Staying current with guidance from OCR and the Department of Health and Human Services helps organizations interpret requirements correctly and apply best practices in real-world settings.

Why this matters for trust and resilience

Transparency around PHI incidents reinforces patient trust. A well-handled breach notification demonstrates accountability, reduces confusion, and mitigates harm to individuals. Beyond compliance, it signals a commitment to patient safety and data stewardship. For organizations, disciplined breach management can also limit financial and reputational damage and support regulatory goodwill during audits or inquiries.