Breaches & Notification

HIPAA requires covered entities and their business associates to provide notification that a breach of unsecured PHI occurred. If the breach is by a business associate, then you are responsible that your practice or the business associate notifies the required parties

Notification of breach: If a breach occurs, the following parities should be notified.

  • Effected individuals
    Following a breach you must provide this individual notice in written form by mail or email (if the affected individual has agreed to receive such notices electronically).

    These notices must include:

    • A brief description of the breach and type of information involved in the breach
    • The steps affected individuals should take to protect themselves from potential harm
    • A brief description of what the covered entity is doing to investigate the breach, mitigate the harm and prevent further breaches
    • Contact information for your practice (or business associate, as applicable)


Notices must be provided without unreasonable delay and no later than 60 days following the discovery of a breach. The Department of Health and Human Services Secretary.

If you have insufficient or out-of-date contact information for 10 or more individuals, you must provide substitute individual notice by either posting the notice on your practice's home page for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. These notices must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the you have insufficient or out-of-date contact information for fewer than 10 individuals, then you can provide substitute notice by an alternative form of written notice, by telephone or other means.

  • The Department of Health and Human Services (HHS) Secretary
    You can notify the Secretary by submitting HHS' online breach report form.  You can notify the secretary of such breaches on an annual basis for breaches that affect fewer than 500 individuals. However, notification must be submitted no later than 60 days after the end of the calendar year in which the breaches are discovered. If a breach affects 500 or more individuals, you must notify the secretary without unreasonable delay and in no later than 60 days following a breach.

  • Media (for breaches impacting 500 or more people)

For breaches that affect more than 500 residents of a state or jurisdiction, you must notify prominent media outlets serving the state or jurisdiction. This media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include:

    • A brief description of the breach and type of information involved in the breach
    • The steps affected individuals should take to protect themselves from potential harm
    • A brief description of what the covered entity is doing to investigate the breach, mitigate the harm and prevent further breaches
    • Contact information for your practice (or business associate, as applicable)

Definition of breach: A breach is an impermissible use or disclosure that compromises the security or privacy of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
  2. The unauthorized person who used the protected health information or to whom the disclosure was made
  3. Whether the protected health information was actually acquired or viewed
  4. The extent to which the risk to the protected health information has been mitigated.

Notification by a business associate: While you are ultimately responsible for ensuring that your impacted patients are notified of breaches by your business associates, you can delegate this responsibility to the business associate. When delegating this responsibility, you should consider who is in the best position to provide notice to the individual. This may depend on various circumstances, such as the functions the business associate performs and who has the relationship with the individual.

When a breach occurs by a business associate, the business associate must provide you notice without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the identification of each individual affected by the breach as well as any other available information need to for proper notification to the affected individuals.

HHS Resources: