HIPAA Breach Notification
Timelines & Requirements
When a breach of unsecured PHI occurs, HIPAA requires notification to affected individuals, HHS, and potentially the media. Learn the 60-day timeline and notification requirements.
What Constitutes a Breach?
Breach Definition
An impermissible use or disclosure of PHI that compromises the security or privacy of the PHI. There is a presumption that any impermissible use or disclosure is a breach.
Exceptions to Breach
- • Unintentional access by workforce member acting in good faith
- • Inadvertent disclosure between authorized persons
- • Good faith belief that unauthorized person could not retain PHI
Breach Response Timeline
Discovery
Day 0Breach discovered or should have been discovered through reasonable diligence
Risk Assessment
Days 1-7Conduct 4-factor risk assessment to determine if notification is required
Individual Notice
Within 60 daysWritten notice to affected individuals via first-class mail
Media Notice
Within 60 daysIf 500+ individuals affected in a state, notify prominent media
HHS Notice
Within 60 daysNotify HHS via online portal (immediate if 500+, annual if <500)
4-Factor Risk Assessment
To determine if an impermissible disclosure compromised PHI, evaluate these factors:
Nature of PHI
Types of identifiers and likelihood of re-identification
Unauthorized Person
Who received or accessed the PHI (employee, external party, etc.)
PHI Acquired/Viewed
Whether PHI was actually acquired or viewed
Risk Mitigation
Extent to which risk has been mitigated (e.g., data returned, destroyed)
What Must Be Included in Breach Notice
Need Help with Breach Response?
Our experts can help you develop incident response procedures and navigate breach notification requirements.