HIPAA Breach Notification: Who, When, and How


You already know that the HIPAA Breach Notification Rule requires you to notify all individuals whose protected health information (PHI) is compromised in a breach. But who else needs to be notified, and how? When do you have to send breach notification letters? Your breach notification requirements are determined by the overall level of risk caused by the breach. We’ve looked at the four-factor breach risk assessment that you used to find the probability that PHI was compromised. If you found the risk to be greater than low, then it’s time to send out notifications.

This post will cover how to notify individuals, the secretary of Health and Human Services Office for Civil Rights (HHS/OCR), and the media. We’ll also look at when to send a substitute notice, the responsibilities of business associates, what to do when contacted by law enforcement, and why you should document the entire process.

Notify Individuals

You must notify all individuals whose PHI was compromised in the breach no later than 60 days after discovering the breach. Send a notification letter by first-class mail to the last known address, or send an email if the individual has previously agreed to electronic communication.

If your records show that the person is deceased, the notification letter can be sent to the next of kin or personal representative. In the next post, you’ll learn how to write a breach notification letter and see a breach notification letter template.

READ MORE: How to Write a Breach Notification Letter (Sample Letter Included)

What if You Have Outdated Contact Information?

If you have insufficient or outdated contact information and can’t mail a written notification letter to some individuals, then you’ll need to make a substitute notice. The type of notice depends on how many people you’re unable to send a notification letter to.

  • 1-9 individuals: You may use an alternative written notice, phone call, or other means to reach these individuals. If you feel that you must urgently notify them because of the threat to their unsecured PHI, then you may want to contact them by phone as well as by written notice.
  • 10+ individuals: Post a conspicuous substitute notice for 90 days on your website homepage. The notice could also appear in major print or broadcast media in the regions where the individuals likely reside. It may be appropriate to use local, city, and State-wide media or multiple media outlets, depending on the circumstances and what you consider necessary to reach them.

Furthermore, a substitute notice doesn’t apply to the next of kin or personal representative but only to the person affected by the breach. A substitute notice must include a toll-free number that is active for at least 90 days, which an individual can use to get more information about the breach.

Notify the Secretary of HHS/OCR

You must also notify the secretary of HHS/OCR either immediately or annually, depending on the number of individuals whose PHI was compromised.

  • 1-499 individuals: Maintain an annual breach log and use it to notify HHS/OCR no later than 60 days after the end of that calendar year.
  • 500+ individuals: Notify HHS/OCR within the same timeframe that you notified affected individuals and no later than 60 days after discovering the breach.

Notify the Media

If the breach involves more than 500 residents of a State or jurisdiction, you must notify prominent media outlets serving that State or jurisdiction. You’ll send the media the same information that you sent to individuals in their notification letters no later than 60 days after discovering the breach. Be as prompt as possible.

What are Business Associates’ Responsibilities?

Additionally, the breach notification rule applies to business associates (BA). When a BA discovers a breach, they should notify you or conduct a breach risk assessment, depending on your business associate agreement (BAA). The first day a BA knows of a breach – or would have known of the breach if they’d exercised reasonable diligence – is considered the day the breach is discovered. The breach must be known to anyone other than the person who caused it, including an employee, officer, or other agent of the BA.

If the BA is not an agent of your organization, then the 60-day notification clock doesn’t begin until they notify you. However, if the BA is acting as an agent of your organization, their discovery date is imputed to you. Therefore, you must notify affected individuals based on the timeframe that the BA discovered the breach, not based on when the BA notified you. To avoid confusion about breach notification requirements, it’s important you identify these responsibilities in your BAA.

READ MORE: 6 Business Associate Agreement Provisions to Protect Your Data

What if Law Enforcement Delays Breach Notification?

In some situations, law enforcement may ask you to delay sending breach notifications because it may impede a criminal investigation, hinder national security, or harm your organization or a BA. Pay attention to how the delay request is delivered by law enforcement.

  • Verbal request: You may postpone notifications, but for no longer than 30 days.
  • Written request: You must delay notifications and notices for the amount of time requested.


There are a lot of moving parts when it comes time to send out breach notifications. It’s important that you document all your security incidents and notifications because you and your BAs have the burden of proof. Can you demonstrate that you notified all parties? Can you prove that the impermissible use or disclosure wasn’t a breach in the first place? Maintain clear records of how you addressed any impermissible use or disclosure, including:

  • The facts of the incident
  • Any investigative documents
  • The exception you applied, if any
  • The breach risk assessment that led to your conclusion

The goal is to be well-armed and prepared to respond to potential breaches, notify all parties correctly and on time, and maintain records that demonstrate your breach notification compliance efforts. Read the U.S. Code of Federal Regulations for more detail about breach notification requirements.

Check out our Breach Notification Letter Template!

Our free template makes it easy to create a compliant breach notification.

Breach Notification Letter Template

Need Help Managing Breach Notification?

You can use our cloud-based HIPAA management software to determine whether or not a security incident was a breach of PHI, log all your breaches and security incidents, and keep track of all the details surrounding your breach notification efforts.

These features make documentation easy and leave an auditable trail of compliance so you can have peace of mind. Contact us to learn more or request a personalized demo of HIPAAtrek.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like