HIPAA Breach Notification Rules: Timelines, Requirements, and What Most Practices Get Wrong

Breach vs. security incident: why the distinction matters

Before you can apply the notification rules, you need to know whether you actually have a breach. HIPAA defines these differently:

• Security incident (45 CFR § 164.304): any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system.
• Breach (45 CFR § 164.402): an impermissible use or disclosure of PHI that compromises the security or privacy of the PHI. There is a presumption that any impermissible use or disclosure is a breach unless you can demonstrate a low probability that PHI was compromised.

A blocked phishing attempt is a security incident but not a breach. An employee looking up a neighbor's medical records out of curiosity is both. You need to log all security incidents, but breach notification obligations only kick in for actual breaches — or incidents you cannot demonstrate were not breaches.

The four-factor risk assessment

When an impermissible use or disclosure occurs, you must perform a risk assessment to determine whether notification is required. Under 45 CFR § 164.402(2), you evaluate four factors:

1. The nature and extent of the PHI involved. Did the disclosure include names only, or names plus Social Security numbers, diagnoses, and financial information? The more identifiable and sensitive the data, the higher the risk.
2. The unauthorized person who used the PHI or to whom it was disclosed. Was it another covered entity (lower risk) or a completely unrelated third party (higher risk)?
3. Whether the PHI was actually acquired or viewed. A misdirected fax that was returned unopened is different from one that was read. If you can demonstrate the data was never actually accessed, that weighs against notification.
4. The extent to which the risk has been mitigated. Did you get the data back? Did the recipient sign a destruction certification? Did you confirm deletion?

If the risk assessment shows a low probability that PHI was compromised, you do not need to notify. But you must document the assessment. If you cannot demonstrate low probability, the presumption of breach stands and notification is required.

Notification timelines

The clock starts when you discover the breach — or when you would have discovered it through reasonable diligence. You cannot delay discovery by not looking.

Individuals: 60 days

Under 45 CFR § 164.404, you must notify each affected individual without unreasonable delay and no later than 60 calendar days from discovery. The notice must be written, sent by first-class mail (or email if the individual has agreed to electronic notice), and must include:

• A description of what happened, including the date of the breach
• The types of PHI involved (not the actual data)
• Steps the individual should take to protect themselves
• What you are doing to investigate and mitigate
• Contact information for questions

HHS: depends on size

For breaches affecting 500 or more individuals (45 CFR § 164.408): you must notify the HHS Secretary within the same 60-day window. HHS publishes these on its public breach portal — commonly called the "Wall of Shame." You must also notify prominent media outlets serving the state or jurisdiction where the affected individuals reside.

For breaches affecting fewer than 500 individuals: you log the breach and report it to HHS no later than 60 days after the end of the calendar year in which it was discovered. You maintain this log throughout the year and submit it via the HHS breach reporting portal.

Business associates

If a business associate discovers a breach, they must notify the covered entity without unreasonable delay and no later than 60 days from discovery (45 CFR § 164.410). The covered entity then handles notification to individuals and HHS. This is why your business associate agreements need clear breach notification clauses — and why many practices negotiate shorter timelines than the 60-day maximum.

The encryption safe harbor

This is the single most practical protection available to you. Under HHS guidance implementing 45 CFR § 164.402, PHI that has been rendered "unsecured" triggers the notification rules. "Secured" PHI — encrypted to NIST standards with the decryption key not compromised — is exempt.

If a laptop with encrypted ePHI is stolen and the encryption key was not on the laptop, you have a security incident but not a reportable breach. If that same laptop had unencrypted ePHI, you are notifying every patient whose data was on it.

The HITECH Act strengthened these notification requirements and increased penalties for non-compliance. It also extended breach notification obligations directly to business associates, not just covered entities.

What most practices get wrong

1. Not recognizing a breach when it happens

The most common failure is not having a process to identify potential breaches in the first place. If your staff does not know what counts as an impermissible disclosure, they cannot report it. Training is not optional — it is a Security Rule requirement under 45 CFR § 164.308(a)(5).

2. Starting the clock late

The 60-day window begins at discovery, and HIPAA defines discovery broadly: the first day any person in your workforce (not just management) knows or should have known about the breach. If your front desk noticed something suspicious on January 5 but nobody told compliance until February 20, the clock started January 5.

3. Skipping the risk assessment

Some practices either notify for everything (expensive and unnecessary) or notify for nothing (reckless). The four-factor risk assessment exists for a reason. Use it. Document it. If you decide notification is not required, your documentation needs to show why.

4. Forgetting the annual log

Small breaches still need to be reported — just annually instead of immediately. Many practices lose track of minor incidents throughout the year and miss the annual reporting window. Keep a running log.

Building a response process that works

For healthcare organizations of any size, the minimum viable breach response process includes:

1. Detection channel. A clear way for any workforce member to report a suspected breach. Email alias, phone number, form — whatever works, as long as people know about it.
2. Initial triage. Within 24–48 hours, determine whether the incident is a potential breach and begin the four-factor risk assessment.
3. Documentation. Record every step from the moment the incident is reported: what happened, who was involved, what PHI was affected, what you did about it.
4. Decision and notification. Based on the risk assessment, decide whether to notify. If yes, send notices within the 60-day window using pre-drafted templates.
5. Remediation. Fix the underlying cause. Update policies. Retrain if needed.

How BlackSheep helps

BlackSheep's HIPAA compliance platform includes breach tracking with built-in four-factor risk assessment workflows, configurable notification timelines, and an annual breach log that generates your HHS submission. When an incident occurs, you walk through a guided process instead of scrambling through a three-ring binder.