The HIPAA Breach Notification Rule mandates that covered entities and business associates notify affected individuals, the Secretary of HHS, and in some cases the media, within 60 days of discovering a breach of unsecured protected health information (PHI). The rule applies to any impermissible access, use, or disclosure that compromises the security or privacy of the data.
Glossary
Breach Notification Rule

What is the HIPAA Breach Notification Rule?
A mandatory federal protocol requiring covered entities and their business associates to provide timely notification following a breach of unsecured protected health information.
Notification is triggered unless the entity demonstrates a low probability that the PHI was compromised, based on a four-factor risk assessment evaluating the nature of the breach, the unauthorized recipient, whether the data was actually acquired, and the extent of mitigation. Breaches affecting 500 or more individuals require simultaneous media notice and immediate reporting to the HHS Secretary.
Frequently Asked Questions
Clear, actionable answers to the most common questions about the HIPAA Breach Notification Rule, covering obligations for covered entities, business associates, and the specific timelines and thresholds that trigger regulatory requirements.
The HIPAA Breach Notification Rule is a federal regulation that requires covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). A breach is generally defined as an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the PHI. This rule applies to healthcare providers, health plans, and healthcare clearinghouses (covered entities), as well as any vendors or subcontractors that create, receive, maintain, or transmit PHI on their behalf (business associates). The rule mandates a specific chain of notification: business associates must notify the covered entity, the covered entity must notify affected individuals, the Secretary of Health and Human Services (HHS), and, in cases involving more than 500 residents of a single state or jurisdiction, prominent media outlets.
Core Requirements of the Breach Notification Rule
The Breach Notification Rule mandates specific, time-sensitive actions following the discovery of a breach of unsecured protected health information. These requirements apply to both covered entities and their business associates, with distinct obligations for each.
Media Notification
For large-scale breaches affecting more than 500 residents of a single state or jurisdiction, the covered entity must issue a prominent media notification.
- Trigger: The breach impacts 500 or more individuals within a specific state, territory, or possession.
- Deadline: Without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach.
- Method: A press release distributed to prominent media outlets serving the affected geographic area. This ensures individuals who may not be reachable by mail are still informed.
Business Associate Obligations
A business associate that discovers a breach of unsecured PHI at or by the business associate is required to notify the covered entity.
- Deadline: Without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach.
- Required Content: The notification must, to the extent possible, identify each individual whose unsecured PHI has been breached. The business associate must also provide any other available information the covered entity is required to include in its own individual notice.
- Contractual Flow: This obligation is typically reinforced within the Business Associate Agreement (BAA) governing the relationship.
Burden of Proof and Risk Assessment
An impermissible access, use, or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised.
- Four-Factor Risk Assessment: This determination must be based on a documented assessment of at least these four factors:
- The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification.
- The unauthorized person who used the PHI or to whom the disclosure was made.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk to the PHI has been mitigated.
- Documentation: The entity bears the burden of proof and must maintain thorough documentation of the risk assessment to demonstrate compliance.
Definition of Unsecured PHI
The notification obligations are triggered specifically by a breach of unsecured protected health information. Understanding this term is critical.
- Unsecured PHI: PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS.
- Securing PHI (Safe Harbor): The only two methods that render PHI secure and exempt from notification are:
- Encryption: For data at rest and in transit, using algorithms like AES-256.
- Destruction: Secure destruction of the physical media on which the PHI was stored, such as paper shredding or NIST-compliant digital media sanitization.
- Strategic Implication: A robust encryption strategy for ePHI at rest and in transit is the primary technical safeguard that can prevent a reportable breach event.
Breach Notification Rule vs. HIPAA Security Rule
A structural comparison of the reactive Breach Notification Rule and the proactive HIPAA Security Rule, outlining their distinct purposes, triggers, and compliance obligations.
| Feature | Breach Notification Rule | HIPAA Security Rule |
|---|---|---|
Primary Purpose | Reactive response to a confirmed breach of unsecured PHI | Proactive prevention of breaches via administrative, physical, and technical safeguards |
Regulatory Citation | 45 CFR §§ 164.400-414 | 45 CFR §§ 164.302-318 |
Triggering Event | Acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule | Creation, receipt, maintenance, or transmission of electronic PHI (ePHI) |
Applies To | Covered entities and business associates | Covered entities only (business associates are contractually obligated via BAA) |
Key Obligation | Notify affected individuals, the Secretary of HHS, and potentially the media | Implement reasonable and appropriate safeguards to ensure confidentiality, integrity, and availability of ePHI |
Risk Assessment Requirement | Yes, a risk assessment to determine if the impermissible access compromises PHI (low probability of compromise standard) | Yes, a comprehensive and accurate risk analysis of potential risks and vulnerabilities to ePHI |
Notification Deadline | Without unreasonable delay and no later than 60 calendar days after discovery | Not applicable (ongoing compliance obligation) |
Sanctions for Non-Compliance | Civil monetary penalties and corrective action plans | Civil monetary penalties and corrective action plans |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Essential concepts and regulatory frameworks that intersect with the Breach Notification Rule, governing how healthcare organizations must respond to unauthorized access of protected health information.
Unsecured PHI Definition
The Breach Notification Rule applies exclusively to unsecured protected health information—data that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. HHS guidance specifies that PHI is considered secured only when it has been:
- Encrypted using an algorithmic process meeting NIST SP 800-111 standards
- Destroyed through shredding or degaussing of electronic media
If a laptop containing 50,000 patient records is stolen and the data was not encrypted, this constitutes a breach of unsecured PHI triggering full notification obligations.
Breach Risk Assessment
A four-factor risk assessment determines whether an impermissible access constitutes a reportable breach. Covered entities must evaluate:
- Nature and extent of PHI involved—does it include sensitive diagnoses or financial data?
- The unauthorized person—was it an internal employee who immediately deleted the data?
- Whether PHI was actually acquired or viewed—forensic evidence matters
- Extent of mitigation—has the recipient provided satisfactory assurances of destruction?
If any single factor indicates low probability of compromise, the incident is not a notifiable breach. This assessment must be thoroughly documented.
Notification Timelines
The Rule imposes strict, non-negotiable deadlines once a breach is confirmed:
- Individual notice: Without unreasonable delay, but no later than 60 calendar days from breach discovery
- HHS Secretary notice: For breaches affecting 500+ individuals, notification must occur contemporaneously with individual notice; for breaches affecting fewer than 500, an annual log submission is permitted
- Media notice: Required for breaches affecting 500+ residents of a single state or jurisdiction—must be issued to prominent media outlets in that area
Failure to meet the 60-day individual notification deadline is one of the most commonly cited HIPAA violations.
Business Associate Obligations
Under the Omnibus Final Rule, business associates bear direct liability for breach notification. Key requirements:
- Discovery triggers a 60-day clock: The BA must notify the covered entity immediately, but no later than 60 days from discovering the breach
- BA must identify affected individuals: The BA must provide the covered entity with sufficient information to identify each affected individual, enabling the CE to fulfill its own notification duties
- Subcontractor chain: If a BA's subcontractor experiences a breach, the subcontractor must notify the BA, who then notifies the CE—creating a cascading notification chain
This direct liability eliminates the prior ambiguity where BAs could deflect responsibility to the covered entity.
Content Requirements for Notice
Individual notification letters must contain specific elements prescribed by the Rule:
- Brief description of the breach: What happened, including the date or date range
- Types of PHI involved: Specify categories like names, SSNs, diagnoses, or treatment dates—be specific without revealing the actual data
- Steps individuals should take: Recommend credit monitoring, fraud alerts, or contacting insurers
- What the covered entity is doing: Describe investigation status, mitigation actions, and safeguards implemented to prevent recurrence
- Contact procedures: Include a toll-free number, email, or website where individuals can inquire about the breach
Letters must be written in plain language and delivered by first-class mail or email if the individual has agreed to electronic notice.
Burden of Proof
The covered entity bears the burden of demonstrating that all required notifications were made or that an impermissible use did not constitute a breach. This creates critical documentation obligations:
- Risk assessments must be preserved: If the four-factor assessment concluded low probability of compromise, the rationale must be fully documented and defensible under audit
- Notification records: Copies of all individual, media, and HHS notices must be maintained as part of the designated record set
- Presumption of breach: Any impermissible access, use, or disclosure is presumed to be a breach unless the covered entity can demonstrate low probability of compromise
This evidentiary burden makes thorough forensic investigation and legal documentation essential before concluding an incident is not reportable.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us