HIPAA Breach Notification: Rules, Timelines, and Penalties

A data breach involving patient health information is one of the most serious compliance events a medical practice can face. Beyond the operational disruption, HIPAA imposes strict notification requirements with hard deadlines and significant penalties for failure to comply. Understanding what constitutes a breach, who must be notified, and how quickly you must act is not just a legal obligation — it is an essential part of protecting your patients and your practice. This guide explains the HIPAA Breach Notification Rule in practical terms.

What Is a HIPAA Breach?

Under HIPAA, a breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. This is a broad definition that encompasses a wide range of incidents, including:

• A laptop containing unencrypted patient records is stolen from a staff member's car
• An employee accesses patient records out of curiosity, without a treatment, payment, or operations purpose
• A fax containing PHI is sent to the wrong recipient
• An email containing patient information is sent to the wrong address
• A ransomware attack encrypts your EHR system and potentially exposes ePHI
• A business associate discloses PHI without authorization

The Presumption of Breach

An important aspect of the rule is that any impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised. This probability assessment must consider four factors: (1) the nature and extent of the PHI involved, (2) who accessed or could have accessed the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated.

Exceptions to Breach Definition

Three specific situations are excluded from the definition of breach: unintentional access by a workforce member acting in good faith within the scope of authority; inadvertent disclosure between authorized persons at the same covered entity; and disclosures where the covered entity believes in good faith that the unauthorized recipient could not have retained the information.

Who Must Be Notified and When

When a breach occurs, HIPAA requires notification to multiple parties within specific timeframes. Missing these deadlines is itself a HIPAA violation.

Notification to Affected Individuals: 60 Days

Affected individuals must be notified without unreasonable delay and in no case later than 60 calendar days after the breach is discovered (not when it occurred). Notification must be by first-class mail to the last known address, or by email if the individual has agreed to electronic notice. The notification must include:

• A brief description of what happened, including the date of the breach and date of discovery
• The types of PHI involved (e.g., name, Social Security number, diagnosis, financial information)
• Steps individuals should take to protect themselves (e.g., monitor credit reports)
• A description of what the covered entity is doing to investigate, mitigate, and prevent future breaches
• Contact information for affected individuals to ask questions

If you lack contact information for 10 or more affected individuals, you must provide substitute notice via a conspicuous posting on your website or in major media outlets serving the affected area for at least 90 days.

Notification to the Secretary of HHS: Annual or 60 Days

All breaches must be reported to the Secretary of HHS via the OCR breach reporting portal at hhs.gov/ocr. The timing depends on the size of the breach:

• Breaches affecting 500 or more individuals: Must be reported to HHS simultaneously with individual notifications — within 60 days of discovery
• Breaches affecting fewer than 500 individuals: May be logged and reported to HHS annually, no later than 60 days after the end of the calendar year in which the breach was discovered

Maintain a breach log throughout the year for smaller incidents to facilitate the annual report. Do not wait until December to compile this information.

Notification to Media: 60 Days for Large Breaches

If a breach affects 500 or more individuals in a particular state or jurisdiction, the covered entity must also notify prominent media outlets in that state or jurisdiction, again within 60 days of discovery. This requirement triggers the "wall of shame" — the public HHS list of large breaches that is searchable by state and organization name.

Business Associate Breaches

Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery. The covered entity is then responsible for providing notification to individuals and HHS. The BA agreement should specify shorter internal reporting timeframes — many practices require BA notification within 10 to 30 days to give themselves adequate time to comply with the 60-day deadline.

HIPAA Breach Penalties

The OCR enforces the Breach Notification Rule and can impose civil monetary penalties that scale based on the level of culpability:

• No knowledge: $137 to $68,928 per violation, with an annual cap of $2,067,813 for identical violations
• Reasonable cause: $1,379 to $68,928 per violation, annual cap of $2,067,813
• Willful neglect — corrected: $13,785 to $68,928 per violation, annual cap of $2,067,813
• Willful neglect — not corrected: $68,928 per violation, annual cap of $2,067,813

In addition to civil penalties, egregious violations can result in criminal referral to the Department of Justice. State attorneys general also have the authority to bring civil actions for HIPAA violations affecting state residents.

Building a Breach Response Plan

The time to plan your breach response is before a breach occurs. A documented breach response plan should include:

• Designated incident response team and contact information
• Steps for containing and assessing the incident
• The four-factor probability assessment process
• Templates for individual notification letters
• Process for HHS reporting
• Guidance on engaging legal counsel and public relations if needed
• Post-incident review and corrective action process

Conduct tabletop exercises at least annually to test your plan before a real incident forces you to rely on it.

Conclusion

HIPAA's Breach Notification Rule is unforgiving on timelines and detailed in its requirements. Practices that fail to notify — or that notify late — face penalties that can exceed the cost of the underlying breach. A proactive approach that includes a documented breach response plan, trained staff, and a reliable incident logging system is the best protection. GuardWell includes breach incident tracking, notification timeline management, and a built-in breach log to help practices stay organized and compliant when it matters most.