HIPAA Breach Notification:
Complete Step-by-Step Guide
Everything you need to know about HIPAA breach notification requirements, from the initial risk assessment through notification, reporting, and remediation. Includes penalty tiers, common mistakes, and a clear 8-step process.
What Qualifies as a HIPAA Breach?
Under HIPAA, a breach is defined as the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) that compromises the security or privacy of the information. This is a broad definition that covers everything from a misdirected fax to a sophisticated ransomware attack.
The Presumption of Breach
HIPAA creates a presumption that any impermissible use or disclosure of unsecured PHI is a reportable breach. The burden is on the covered entity or business associate to demonstrate that there is a low probability that the PHI has been compromised. This determination must be based on the 4-factor risk assessment described below.
There are three narrow exceptions to the breach definition: (1) unintentional access by a workforce member acting in good faith within the scope of authority, (2) inadvertent disclosure between authorized persons at the same organization, and (3) when the recipient could not reasonably retain the information. Even with these exceptions, the 4-factor risk assessment should still be documented.
The 4-Factor Risk Assessment
When an impermissible use or disclosure of PHI occurs, you must conduct a documented risk assessment using these four factors to determine whether there is a low probability that the PHI has been compromised. If you cannot demonstrate low probability, you must treat the incident as a reportable breach.
Nature and Extent of PHI Involved
What types of identifiers and information were involved? A breach involving names and diagnoses is more serious than one involving names alone. Consider the types of identifiers (SSN, medical record numbers, financial information) and the sensitivity of the clinical information exposed.
Key Questions to Ask:
- What specific data elements were involved?
- Does the data include direct identifiers (SSN, MRN)?
- Is sensitive clinical information included (HIV, mental health, substance abuse)?
- Could the information be used for identity theft or fraud?
Unauthorized Person Who Used or Accessed the PHI
Who improperly received or accessed the information? A misdirected fax to another covered entity is very different from data posted on the public internet or accessed by a criminal actor.
Key Questions to Ask:
- Was the recipient another covered entity or healthcare provider?
- Does the unauthorized person have obligations to protect the data?
- Was this an external threat actor or an internal workforce member?
- Does the recipient have the ability to re-identify de-identified data?
Whether PHI Was Actually Acquired or Viewed
Can you demonstrate that the information was not actually accessed or viewed? For example, if a laptop was lost but had full-disk encryption and was powered off, the PHI may not have been accessed even though the device was compromised.
Key Questions to Ask:
- Is there forensic evidence of actual access or viewing?
- Were access logs reviewed to determine if data was opened?
- Was the data encrypted and the encryption key not compromised?
- Was the exposure limited in time before the breach was contained?
Extent to Which Risk Has Been Mitigated
What steps have been taken to reduce the risk of harm? Obtaining attestations of destruction, confirming the data was not further disclosed, or recovering the device all help mitigate the risk and may support a determination that notification is not required.
Key Questions to Ask:
- Was the information returned or destroyed?
- Did the recipient provide a credible attestation of destruction?
- Has the vulnerability that caused the breach been remediated?
- Were affected systems immediately secured?
Who Must Be Notified
HIPAA breach notification requirements involve up to four different categories of recipients, each with specific timelines and methods. Missing any of these can result in additional penalties.
Affected Individuals
Within 60 days of discovery
Method: Written notice by first-class mail (or email if individual agreed)
Every individual whose unsecured PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed must be notified. If contact information is outdated for 10+ individuals, substitute notice via website posting or major media is required.
HHS / Office for Civil Rights (OCR)
Within 60 days if 500+ individuals affected; annual log if fewer than 500
Method: Electronic submission via the HHS breach reporting portal
Breaches affecting 500+ individuals must be reported within 60 days and are posted on the HHS 'Wall of Shame.' Breaches affecting fewer than 500 individuals must be logged and submitted annually within 60 days of the end of the calendar year.
Prominent Media Outlets
Within 60 days if 500+ individuals in a single state or jurisdiction
Method: Press release or direct outreach to prominent media outlets
If a breach affects 500 or more residents of a single state or jurisdiction, the covered entity must notify prominent media outlets serving that state. This is in addition to individual notification and HHS reporting.
Business Associates
Per Business Associate Agreement (BAA) terms
Method: As specified in the BAA
Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery. The BA must provide the CE with the identity of each affected individual and any other available information for the CE's notification obligations.
What to Include in the Notification
HIPAA specifies five required elements that must be included in every individual notification letter. Missing any element can be considered a violation.
- 1
A brief description of what happened, including the date of the breach and the date of discovery
- 2
A description of the types of unsecured PHI involved (e.g., name, SSN, date of birth, diagnosis, treatment information)
- 3
Steps individuals should take to protect themselves from potential harm
- 4
A description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent future breaches
- 5
Contact procedures including a toll-free phone number, email address, postal address, or website
The notification must be written in plain language. Avoid technical jargon and legalese. The goal is for the average person to understand what happened, what it means for them, and what they should do about it.
Common Mistakes That Lead to Penalties
OCR enforcement actions reveal consistent patterns. These are the most frequent mistakes that turn manageable incidents into costly penalties.
Missing the 60-Day Deadline
The 60-day clock starts when the breach is discovered, not when the investigation is complete. Many organizations lose precious time conducting a thorough investigation and miss the notification deadline. You can notify before your investigation is complete.
Impact: OCR has imposed fines exceeding $1M specifically for untimely notification.
Failing to Conduct a Proper Risk Assessment
Skipping or inadequately documenting the 4-factor risk assessment is one of the most common audit findings. Every potential breach must be evaluated, and the assessment must be documented regardless of the outcome.
Impact: Failure to demonstrate a documented risk assessment can turn a non-reportable incident into a reportable breach.
Not Notifying Business Associates
When a breach occurs at a business associate, both the BA and the covered entity have notification obligations. Many organizations fail to have clear BAA terms that define discovery timelines and notification procedures.
Impact: BAs are independently liable for HIPAA violations and can face direct penalties from OCR.
Inadequate Risk Analysis (Prevention)
Most HIPAA breach penalties are compounded by a finding that the organization failed to conduct an adequate, organization-wide risk analysis as required by the Security Rule. The breach itself may result in a moderate fine, but the underlying risk analysis failure can multiply it.
Impact: Risk analysis failures have been cited in settlements exceeding $5M.
No Pre-Existing Incident Response Plan
Organizations without a documented, tested incident response plan consistently take longer to detect and respond to breaches, resulting in higher costs and more regulatory scrutiny.
Impact: While not having a plan isn't itself a violation, it leads to delays and mistakes that trigger additional penalties.
HIPAA Penalty Tiers
OCR uses a tiered penalty structure based on the level of culpability. Penalties are assessed per violation, with an annual maximum of approximately $2 million per violation category. Criminal penalties may also apply in extreme cases.
| Tier | Culpability Level | Description | Per Violation |
|---|---|---|---|
| Tier 1 | Lack of Knowledge | The covered entity did not know and could not reasonably have known of the violation | $100 - $50,000 |
| Tier 2 | Reasonable Cause | The violation was due to reasonable cause and not willful neglect | $1,000 - $50,000 |
| Tier 3 | Willful Neglect (Corrected) | The violation was due to willful neglect but was corrected within 30 days | $10,000 - $50,000 |
| Tier 4 | Willful Neglect (Not Corrected) | The violation was due to willful neglect and was not corrected within 30 days | $50,000+ |
Annual cap: approximately $2 million per violation category. Criminal penalties of up to $250,000 and 10 years imprisonment may apply for violations involving intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.
Step-by-Step Breach Notification Process
Follow this 8-step process from the moment a potential breach is discovered through remediation and documentation. Each step includes what to do and why it matters.
Discover and Contain the Breach
Identify the scope of unauthorized access, contain the exposure, and preserve evidence. The 60-day notification clock starts at discovery. Discovery occurs when the breach is first known or would have been known through reasonable diligence.
Conduct the 4-Factor Risk Assessment
Evaluate the nature of PHI involved, who accessed it, whether it was actually viewed, and what mitigation steps have been taken. Document everything thoroughly. If the assessment demonstrates a low probability of compromise, notification may not be required.
Determine if Notification is Required
Based on the risk assessment, determine whether the incident rises to the level of a reportable breach. Remember the presumption: every unauthorized access, use, or disclosure of unsecured PHI is presumed to be a breach unless you can demonstrate a low probability of compromise.
Identify All Affected Individuals
Compile a complete list of every individual whose PHI was or may have been compromised. Verify contact information. If you cannot identify specific individuals, you may need to notify a broader population.
Draft Notification Letters
Prepare notification letters that include all required elements: description of the breach, types of PHI involved, steps individuals should take, what your organization is doing, and contact information. Have legal counsel review before sending.
Notify Individuals Within 60 Days
Send written notification to all affected individuals via first-class mail. If email notification was previously authorized by the individual, email is acceptable. For outdated contact information, use substitute notice methods as appropriate.
Report to HHS and Media (if applicable)
If 500+ individuals are affected, submit the breach report to HHS via their online portal within 60 days and notify prominent media outlets in affected states. If fewer than 500, log the breach for annual reporting.
Remediate and Document
Implement corrective actions to prevent similar breaches. Update policies and procedures. Conduct additional workforce training. Document all actions taken. Retain documentation for a minimum of six years as required by HIPAA.
Don't Wait for a Breach to Check Your HIPAA Readiness
The best time to prepare for a HIPAA breach is before one happens. A proactive HIPAA risk assessment can identify vulnerabilities, ensure your incident response plan is solid, and dramatically reduce both the likelihood and impact of a breach.
Take a Free HIPAA Readiness Assessment at HIPAAReadyCheck.comDealing With a HIPAA Breach Right Now?
Our incident response team specializes in healthcare breaches and HIPAA compliance. We've guided hundreds of covered entities and business associates through the notification process. Available 24/7/365 with a 1-hour response time.