HIPAA breach notification: what triggers reporting and what to do next

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS) and, in larger breaches, the media when unsecured protected health information is compromised. The notification clock is strict: affected individuals must be informed without unreasonable delay and no later than 60 days after a breach is discovered. Missing that window turns a security incident into a separate compliance violation, compounding the original problem.

For compliance teams, the hardest part is not the notification itself. It is determining whether an incident is a reportable breach at all, and being able to document that determination. This guide explains what triggers the HIPAA breach notification requirements, the decision process for assessing an incident and the steps to take once a breach is confirmed.

What counts as a breach under the HIPAA Breach Notification Rule

A breach is the acquisition, access, use or disclosure of protected health information in a manner not permitted by the Privacy Rule that compromises the security or privacy of that information. The key qualifier is unsecured PHI: information that has not been rendered unusable, unreadable or indecipherable through encryption or destruction. Properly encrypted data that is lost or stolen generally does not trigger notification, which is why encryption is one of the most effective breach-prevention controls available.

Not every impermissible use or disclosure is automatically a reportable breach. The rule provides a presumption that an incident is a breach unless the organization can demonstrate, through a documented risk assessment, that there is a low probability the PHI was compromised.

The six-year clock is important and frequently misunderstood. For policies, the retention period runs from the date a document was last in effect, not the date it was created. A policy that was active for four years and then replaced must still be retained for six years after it was superseded. This means organizations must keep a complete version history, not just current documents.

The four-factor risk assessment that determines reporting

When an incident occurs, the HIPAA breach notification requirements direct the organization to assess at least four factors before concluding whether notification is required.

The output of this assessment, and the reasoning behind it, must be documented. If an organization concludes an incident is not reportable, it must be able to show OCR the risk assessment that supports that conclusion. An undocumented decision not to report is indistinguishable, from an enforcement perspective, from a failure to report.

Notification requirements and timelines

Once an incident is confirmed as a reportable breach, the HIPAA breach notification requirements impose specific obligations that vary by the scale of the breach:

• Individual notification: all affected individuals must be notified without unreasonable delay and within 60 days of discovery, in writing, with specified content including what happened and what individuals should do.
• HHS notification: breaches affecting 500 or more individuals must be reported to HHS without unreasonable delay and within 60 days. Smaller breaches may be logged and reported to HHS annually.
• Media notification: breaches affecting more than 500 residents of a state or jurisdiction require notification to prominent media outlets serving that area.

The 60-day ceiling is a maximum, not a target. OCR has pursued organizations that technically met the deadline but delayed unreasonably within it. The expectation is prompt action once a breach is discovered.

What to do when a breach is confirmed

A confirmed breach sets off a defined sequence. Organizations that have planned this in advance move through it cleanly; those improvising under pressure make errors that worsen the outcome:

• Contain the incident to stop further exposure of PHI.
• Document the discovery date, because the 60-day clock runs from discovery.
• Conduct and record the four-factor risk assessment to confirm reportability.
• Issue notifications to individuals, HHS and media as required, within the timeline.
• Remediate the root cause and document the corrective action to prevent recurrence.

Incident handling does not end with notification. OCR pays close attention to whether an organization addressed the underlying cause. A breach followed by a documented corrective action plan demonstrates the kind of good-faith response that keeps a case in the lower penalty tiers. The same breach with no remediation evidence points toward willful neglect, and how that distinction drives financial exposure is set out in this guide to HIPAA fines and penalties.

Building breach response into your compliance system

Effective breach response depends on infrastructure that exists before an incident: a documented incident response policy, clear ownership, and a system that captures the assessment, notification and remediation in one place. Ideagen's incident management software, built on Microsoft 365 SharePoint, gives healthcare teams structured incident capture, investigation workflows, root cause analysis and audit-ready documentation, so the four-factor assessment and the corrective action are recorded as the process runs rather than reconstructed afterward.

Breach notification is one area of HIPAA where preparation is visible in the outcome. The organizations that handle breaches well are not the ones that never have incidents. They are the ones that decided in advance how they would assess, document and respond, so that when an incident arrives, the response is a procedure rather than a panic. For the foundations of the wider framework, see this guide to what HIPAA compliance requires, and to ensure your documentation holds up if an incident leads to scrutiny, follow this guide to how to prepare for a HIPAA audit.