Something went wrong. A laptop was lost. A phishing email succeeded. A file was sent to the wrong recipient. An employee accessed records they had no reason to access. Whatever the circumstances, your organization is now looking at a potential HIPAA breach, and the clock has started.
The HIPAA Breach Notification Rule, codified at 45 CFR Part 164, Subpart D, gives most organizations 60 days from the date of discovery to complete required notifications. That sounds like a reasonable window. In practice, organizations that wait too long to start the process routinely miss it, and OCR has issued significant civil money penalties to organizations that failed to notify on time, notified the wrong parties, or simply failed to notify at all.
This article explains how the Breach Notification Rule works, what the four-factor test requires, who must be notified and when, and where organizations most commonly go wrong.
What Counts as a Reportable Breach
Under HIPAA, a breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule. The default assumption is that any unauthorized access or disclosure is a reportable breach unless your organization can demonstrate otherwise.
That last point is important. The law does not require proof that harm occurred. It does not require proof that the PHI was actually viewed or misused. The standard is lower: if the incident involved PHI and was not authorized under the Privacy Rule, it is presumed to be a breach requiring notification unless you can affirmatively show there is a low probability that the PHI has been compromised.
There are three narrow exceptions to the definition of breach: unintentional access by a workforce member acting in good faith within the scope of their authority, inadvertent disclosure between two authorized people at the same organization, and situations where the covered entity has a good-faith belief that the unauthorized person receiving PHI could not have retained it. These exceptions are narrow and require documentation to support.
The Four-Factor Risk Assessment
Before you can determine whether an incident requires notification, HIPAA requires you to conduct a four-factor risk assessment. This is the analytical framework that determines whether there is a low probability that the PHI has been compromised. If you cannot demonstrate low probability across all four factors, notification is required.
The four factors are:
1. The Nature and Extent of the PHI Involved
What types of PHI were involved, and how sensitive is it? An incident involving Social Security numbers, financial information, or mental health records carries a higher risk of compromise than one involving appointment dates. The volume of records matters too, though even a single record can require notification.
2. Who Accessed or Could Have Accessed the PHI
Was the PHI accessed by another covered entity or business associate who would have had obligations to protect it? Was it accessed by an unknown third party? Was it accessed by an IT vendor who immediately returned the misdirected email without opening it? The nature of the recipient affects the probability of compromise significantly.
3. Whether the PHI Was Actually Acquired or Viewed
Did you obtain evidence that the PHI was actually accessed or seen? Audit logs, the nature of the incident, and witness statements all contribute here. If a server was briefly accessible due to a misconfiguration but logs show no actual access occurred, that is relevant. If an email was sent to the wrong recipient and they confirmed they deleted it without reading it, that factors in. But the burden of proof is on your organization, not on the recipient.
4. The Extent to Which the Risk Has Been Mitigated
Did you take steps to reduce the risk after discovery? Retrieving the misdirected document, revoking access, confirming deletion, or obtaining a non-disclosure agreement from the recipient can all contribute to a finding of low probability. Mitigation does not eliminate the need for notification on its own, but it is a factor in the overall analysis.
The risk assessment must be documented in writing. You cannot run this analysis in your head and call it done. If OCR investigates, they will ask for the risk assessment documentation. Organizations that made reasonable decisions but failed to document them have found themselves unable to defend those decisions.
The 60-Day Notification Timeline
The 60-day clock starts on the date of discovery, which HIPAA defines as the first day on which the breach is known or should reasonably have been known to any workforce member or agent of the covered entity other than the person who committed the breach.
That definition has practical consequences. If a front-desk employee discovered a potential breach on a Tuesday and did not report it internally until the following Monday, the clock started on Tuesday, not Monday. Delays in internal reporting do not stop the clock.
Within 60 days, covered entities must complete three potential notifications depending on the scope of the breach:
Individual Notification
Every individual whose PHI was involved in the breach must be notified. Notification must be in writing, delivered by first-class mail to the last known address, or by email if the individual has agreed to receive communications electronically. The notification must include a description of what happened, the types of PHI involved, the steps individuals should take to protect themselves, what the covered entity is doing to investigate and mitigate, and contact information for questions.
If your organization cannot reach 10 or more individuals due to insufficient or out-of-date contact information, you must post a substitute notice on your website for at least 90 days or provide notice through major print or broadcast media in the area.
HHS Notification
All covered entities must notify the Department of Health and Human Services of reportable breaches. For breaches affecting 500 or more individuals, HHS must be notified within 60 days of discovery using the HHS breach reporting portal. These breaches are publicly posted on what is commonly called the HHS Wall of Shame.
For breaches affecting fewer than 500 individuals, covered entities may log them and report to HHS on an annual basis, no later than 60 days after the end of the calendar year in which the breaches occurred. This is a common point of confusion: the 60-day rule for small breaches applies to the annual report, not to each individual breach.
Media Notification
If a breach affects 500 or more residents of a single state or jurisdiction, the covered entity must also notify prominent media outlets in that area. This notification must occur within the same 60-day window and must be sent in addition to individual and HHS notifications, not instead of them.
Business associates have a separate but related obligation. When a business associate discovers a breach, they must notify the covered entity without unreasonable delay and no later than 60 days from the date of discovery. The covered entity then becomes responsible for notifying individuals and HHS. The business associate agreement should specify the notification timeline between the parties, and many specify a shorter window, often 30 days or fewer.
What Your Notification Must Actually Say
HIPAA specifies the required elements of a breach notification to individuals. A notification that omits required elements does not satisfy the rule, and OCR has cited organizations for inadequate notification content in enforcement actions.
A compliant individual notification must include:
- A brief description of what happened, including the date of the breach and the date of discovery, if known
- A description of the types of unsecured PHI involved, such as names, Social Security numbers, dates of birth, account numbers, diagnosis codes, or other identifiers
- Any steps individuals should take to protect themselves from potential harm, such as placing a fraud alert, monitoring their credit, or reviewing their Explanation of Benefits statements
- A brief description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent future breaches
- Contact procedures for individuals to ask questions or learn more, including a toll-free number, email address, website, or mailing address
The notification should be written in plain language that the average patient or health plan member can understand. It should not read like a legal document, and it should not be written in a way that minimizes what happened or obscures the potential risk to the individual.
Where Organizations Miss the Deadline
OCR enforcement data and settlement records point to a consistent set of failure patterns. Understanding them is the most practical way to avoid them.
Starting the process too late. The 60-day window feels long until you account for the investigation, the four-factor risk assessment, drafting notifications, getting legal review, and managing operational disruptions that often accompany a significant incident. Organizations that wait two or three weeks before treating the response as urgent frequently find themselves scrambling at the end of the window or missing it entirely.
Failing to recognize the discovery date. Because the clock starts when the breach “should reasonably have been known,” organizations can find themselves in a difficult position if internal reporting was delayed. A breach that was known to a workforce member for two weeks before it reached the compliance officer does not give the compliance officer 60 days from when they heard about it.
Confusing the small-breach annual reporting rule. Some organizations interpret the small-breach annual reporting provision as meaning they have an entire year to respond to small incidents. They do not. The risk assessment, the determination, and the individual notification still need to happen promptly. Only the HHS reporting is deferred to the annual log.
Not documenting the risk assessment. Organizations that decide an incident does not require notification based on the four-factor test but fail to document that analysis have no defense if OCR later disagrees. The documentation is what converts a reasonable judgment call into a defensible compliance decision.
Have the Documentation Ready Before You Need It
The Breach Documentation Kit from HIPAA Essentials Library includes every document your organization needs to respond to a breach correctly: the Breach Risk Assessment Form, Breach Investigation Procedures, individual notification letter templates, HHS notification template, media notification template, Incident Tracking Log, Breach Notification Timeliness Tracker, and corrective action documentation. Everything is organized in the order you use it and includes implementation guidance so your team knows what to do and when.
Building your response capability before an incident occurs is significantly easier than assembling documentation under pressure with the 60-day clock running. The Compliance Essentials Bundle includes the Breach Documentation Kit along with the Privacy Bundle and Security Bundle for organizations that want comprehensive coverage across all three compliance areas.