Inferensys

Glossary

Breach Notification Rule

A HIPAA rule requiring covered entities and business associates to provide notification following a breach of unsecured protected health information to affected individuals, the Secretary of HHS, and in some cases, the media.
Strategy consultant facilitating AI use case discovery workshop, sticky notes on glass wall, casual corporate meeting.
REGULATORY COMPLIANCE

What is the HIPAA Breach Notification Rule?

A mandatory federal protocol requiring covered entities and their business associates to provide timely notification following a breach of unsecured protected health information.

The HIPAA Breach Notification Rule mandates that covered entities and business associates notify affected individuals, the Secretary of HHS, and in some cases the media, within 60 days of discovering a breach of unsecured protected health information (PHI). The rule applies to any impermissible access, use, or disclosure that compromises the security or privacy of the data.

Notification is triggered unless the entity demonstrates a low probability that the PHI was compromised, based on a four-factor risk assessment evaluating the nature of the breach, the unauthorized recipient, whether the data was actually acquired, and the extent of mitigation. Breaches affecting 500 or more individuals require simultaneous media notice and immediate reporting to the HHS Secretary.

BREACH NOTIFICATION COMPLIANCE

Frequently Asked Questions

Clear, actionable answers to the most common questions about the HIPAA Breach Notification Rule, covering obligations for covered entities, business associates, and the specific timelines and thresholds that trigger regulatory requirements.

The HIPAA Breach Notification Rule is a federal regulation that requires covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). A breach is generally defined as an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the PHI. This rule applies to healthcare providers, health plans, and healthcare clearinghouses (covered entities), as well as any vendors or subcontractors that create, receive, maintain, or transmit PHI on their behalf (business associates). The rule mandates a specific chain of notification: business associates must notify the covered entity, the covered entity must notify affected individuals, the Secretary of Health and Human Services (HHS), and, in cases involving more than 500 residents of a single state or jurisdiction, prominent media outlets.

HIPAA COMPLIANCE

Core Requirements of the Breach Notification Rule

The Breach Notification Rule mandates specific, time-sensitive actions following the discovery of a breach of unsecured protected health information. These requirements apply to both covered entities and their business associates, with distinct obligations for each.

03

Media Notification

For large-scale breaches affecting more than 500 residents of a single state or jurisdiction, the covered entity must issue a prominent media notification.

  • Trigger: The breach impacts 500 or more individuals within a specific state, territory, or possession.
  • Deadline: Without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach.
  • Method: A press release distributed to prominent media outlets serving the affected geographic area. This ensures individuals who may not be reachable by mail are still informed.
04

Business Associate Obligations

A business associate that discovers a breach of unsecured PHI at or by the business associate is required to notify the covered entity.

  • Deadline: Without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach.
  • Required Content: The notification must, to the extent possible, identify each individual whose unsecured PHI has been breached. The business associate must also provide any other available information the covered entity is required to include in its own individual notice.
  • Contractual Flow: This obligation is typically reinforced within the Business Associate Agreement (BAA) governing the relationship.
05

Burden of Proof and Risk Assessment

An impermissible access, use, or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised.

  • Four-Factor Risk Assessment: This determination must be based on a documented assessment of at least these four factors:
    • The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification.
    • The unauthorized person who used the PHI or to whom the disclosure was made.
    • Whether the PHI was actually acquired or viewed.
    • The extent to which the risk to the PHI has been mitigated.
  • Documentation: The entity bears the burden of proof and must maintain thorough documentation of the risk assessment to demonstrate compliance.
06

Definition of Unsecured PHI

The notification obligations are triggered specifically by a breach of unsecured protected health information. Understanding this term is critical.

  • Unsecured PHI: PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS.
  • Securing PHI (Safe Harbor): The only two methods that render PHI secure and exempt from notification are:
    • Encryption: For data at rest and in transit, using algorithms like AES-256.
    • Destruction: Secure destruction of the physical media on which the PHI was stored, such as paper shredding or NIST-compliant digital media sanitization.
  • Strategic Implication: A robust encryption strategy for ePHI at rest and in transit is the primary technical safeguard that can prevent a reportable breach event.
REGULATORY COMPARISON

Breach Notification Rule vs. HIPAA Security Rule

A structural comparison of the reactive Breach Notification Rule and the proactive HIPAA Security Rule, outlining their distinct purposes, triggers, and compliance obligations.

FeatureBreach Notification RuleHIPAA Security Rule

Primary Purpose

Reactive response to a confirmed breach of unsecured PHI

Proactive prevention of breaches via administrative, physical, and technical safeguards

Regulatory Citation

45 CFR §§ 164.400-414

45 CFR §§ 164.302-318

Triggering Event

Acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule

Creation, receipt, maintenance, or transmission of electronic PHI (ePHI)

Applies To

Covered entities and business associates

Covered entities only (business associates are contractually obligated via BAA)

Key Obligation

Notify affected individuals, the Secretary of HHS, and potentially the media

Implement reasonable and appropriate safeguards to ensure confidentiality, integrity, and availability of ePHI

Risk Assessment Requirement

Yes, a risk assessment to determine if the impermissible access compromises PHI (low probability of compromise standard)

Yes, a comprehensive and accurate risk analysis of potential risks and vulnerabilities to ePHI

Notification Deadline

Without unreasonable delay and no later than 60 calendar days after discovery

Not applicable (ongoing compliance obligation)

Sanctions for Non-Compliance

Civil monetary penalties and corrective action plans

Civil monetary penalties and corrective action plans

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.