4.4 Breach Notification Rule

Key Takeaways

  • A breach is the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy; properly encrypted PHI is not unsecured PHI.
  • An impermissible use or disclosure is presumed to be a breach unless a four-factor risk assessment shows a low probability that the PHI was compromised.
  • Covered Entities must notify affected individuals in writing without unreasonable delay and no later than 60 calendar days after discovery of the breach.
  • Breaches affecting 500 or more individuals require notice to HHS within 60 days plus media notice when 500 or more are in one state or jurisdiction; breaches affecting fewer than 500 go on an annual log submitted within 60 days after year-end.
  • A Business Associate must notify the Covered Entity of a breach without unreasonable delay and no later than 60 days after discovery, and BAAs often shorten that window.
Last updated: June 2026

What Counts as a Breach

Under the Breach Notification Rule, a breach is the acquisition, access, use, or disclosure of PHI in a manner the Privacy Rule does not permit, when that act compromises the security or privacy of the information. The rule applies only to unsecured PHI — PHI that has NOT been rendered unusable, unreadable, or indecipherable to unauthorized persons through an approved method such as encryption (to current NIST standards) or proper destruction. This is why the Security Rule and Breach Rule link directly: properly encrypted PHI that is lost is generally not a reportable breach, because it was never 'unsecured.'

The Three Breach Exceptions

Even an impermissible use or disclosure is not a breach if it fits one of three narrow statutory exceptions:

  1. Good-faith, unintentional access by a workforce member acting within authority, where the PHI is not further used or disclosed.
  2. Inadvertent disclosure between two authorized people at the same Covered Entity or Business Associate, where the PHI is not further used or disclosed.
  3. A disclosure where the entity has a good-faith belief the unauthorized recipient could not reasonably have retained the information (for example, a misdirected explanation of benefits returned unopened).

The Four-Factor Risk Assessment

If no exception applies, an impermissible use or disclosure of PHI is presumed to be a breach unless the Covered Entity or Business Associate demonstrates a low probability that the PHI has been compromised, based on a risk assessment of at least four factors:

FactorQuestion to Assess
1. Nature and extent of the PHIWhat types of identifiers and clinical detail were involved, and how sensitive are they (e.g., diagnoses, SSNs)?
2. The unauthorized personWho used the PHI or received it, and is that person already obligated to protect PHI?
3. Whether PHI was actually acquired or viewedWas the information truly accessed, or only potentially exposed?
4. Extent of risk mitigationHas the risk been reduced, for example by retrieval of the data or a signed confidentiality assurance from the recipient?

The burden of proof is on the Covered Entity or Business Associate. If they cannot document a low probability of compromise, they must treat the incident as a reportable breach.

Notification Timelines

Breach of unsecured PHI discovered
           |
   +-------------------+
   |  How many people  |
   |    affected?      |
   +-------------------+
      |              |
   < 500          >= 500
      |              |
Notify individuals   Notify individuals
within 60 days       within 60 days
      |              |
Log the breach;      Notify HHS without
report to HHS in     unreasonable delay,
the annual log       no later than 60 days
within 60 days       |
after year-end       Notify prominent media if
                     500+ in one state/jurisdiction

Individual Notice

Affected individuals must be notified in writing (first-class mail, or email if agreed) without unreasonable delay and no later than 60 calendar days after the breach is discovered — and the clock starts on discovery, not on when the investigation finishes. The notice must describe what happened, the types of PHI involved, the steps individuals can take to protect themselves, what the entity is doing, and contact information.

Notice to HHS

  • 500 or more individuals: notify the HHS Secretary without unreasonable delay and no later than 60 days after discovery — contemporaneously with individual notice. These breaches appear on the public OCR breach portal (the 'Wall of Shame').
  • Fewer than 500 individuals: the breach is still reportable, but logged and submitted to HHS in an annual report within 60 days after the end of the calendar year.

Media Notice

If a breach affects 500 or more residents of a single state or jurisdiction, the entity must also notify prominent media outlets serving that area, within the same 60-day window. Note this is a per-state count, separate from the HHS 500 threshold.

Business Associate Obligations

When a Business Associate discovers a breach, it must notify the Covered Entity without unreasonable delay and no later than 60 days after discovery. The Covered Entity then remains responsible for notifying individuals, HHS, and the media as required. Because the CE's own 60-day clock can be tight, BAAs routinely shorten the BA's reporting window (often to a handful of days) so the CE can still meet every downstream deadline.

Worked Example and State-Law Overlay

Walk through a typical CPB scenario. A biller emails an unencrypted statement listing a patient's name, account number, and diagnosis to the wrong patient, who opens it. Run the test: no exception applies (the recipient is not an authorized workforce member and clearly retained the information). So it is presumed a breach unless the four factors show low probability of compromise. Sensitive identifiers were involved (factor 1), an unauthorized person received and read it (factors 2 and 3), and mitigation is limited if the recipient will not confirm deletion (factor 4).

The reasonable conclusion is a reportable breach affecting one individual — logged and reported to HHS in the annual submission, with written notice to that patient within 60 days.

Remember that the HIPAA Breach Notification Rule is a federal floor, not a ceiling. Nearly every state has its own breach-notification law, often with shorter deadlines, broader definitions of personal information, or mandatory attorney-general notice. When state law is stricter, the entity must satisfy both. The CPB exam may test the federal timelines directly, but real billing offices follow whichever rule is more protective.

Test Your Knowledge

A billing company (a Business Associate) discovers that an unencrypted laptop containing 1,800 patients' claim data was stolen. The patients are all residents of one state. Which notification path is correct?

A
B
C
D
Test Your Knowledge

A practice has an impermissible disclosure affecting 40 individuals and cannot demonstrate a low probability of compromise. How must it report this to HHS?

A
B
C
D