In an age where nearly every facet of healthcare runs on data, protecting that data isn’t just a priority—it’s a legal and ethical obligation. From digital health records to insurance files and lab reports, Protected Health Information (PHI) sits at the heart of clinical and administrative workflows. And as the healthcare system leans further into cloud-based tools, telemedicine, and connected devices, the risk of data breaches continues to climb.
To help safeguard PHI, the Health Insurance Portability and Accountability Act (HIPAA) lays out strict standards. Among them is the Breach Notification Rule, a critical regulation that dictates what steps must be taken if PHI is compromised.
Whether you’re a provider, insurer, IT vendor, or business associate handling health data, here’s what you need to understand—because when a breach occurs, knowing what to do next can mean the difference between compliance and costly violations.
What Exactly Is the Breach Notification Rule?
First introduced in 2009 under the HITECH Act, the Breach Notification Rule requires healthcare organizations and their partners to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media, whenever unsecured PHI is breached.
The goal? Transparency. Patients have the right to know when their data has been exposed so they can take action—whether that means freezing their credit, changing passwords, or simply staying alert for signs of identity theft.
At its core, the rule answers three key questions:
- What qualifies as a breach?
- Who must be informed?
- How and when should those notifications happen?
Who Has to Follow the Rule?
HIPAA’s Breach Notification Rule casts a wide net. If your organization creates, accesses, stores, or transmits PHI, you’re likely covered.
Covered Entities (CEs) include:
- Healthcare providers (e.g., hospitals, private practices, dental clinics)
- Health plans (like insurers, HMOs, Medicare)
- Healthcare clearinghouses (which process nonstandard data into standard formats)
Business Associates (BAs) include:
- Anyone working with or on behalf of a covered entity who interacts with PHI
- Examples: Cloud storage vendors, billing firms, EHR tech companies, managed IT providers
Bottom line: If you touch PHI in your day-to-day operations—even indirectly—you’re on the hook.
What Counts as a Breach?
A breach is defined as any access, use, or disclosure of PHI that violates HIPAA’s Privacy Rule and compromises the information’s security or privacy.
Common breach scenarios:
- An email with patient info sent to the wrong recipient
- Loss or theft of an unencrypted device (laptop, USB drive, etc.)
- Employees snooping on records they have no reason to access
- Hacking incidents or ransomware attacks targeting EHR systems
- Improperly discarded paper records containing PHI
What’s not a breach?
Not every mishap qualifies. HIPAA includes some exceptions, such as:
- A staff member accidentally opening the wrong patient file but realizing it immediately and taking no further action.
- PHI shared unintentionally between authorized individuals within the same organization.
- Situations where PHI can’t reasonably be retained or accessed, like a fax sent to the wrong clinic that’s confirmed destroyed.
The “Low Probability of Compromise” Test
When a potential breach occurs, it doesn’t automatically trigger notification. Organizations must conduct a risk assessment to determine whether the breach poses a low probability of compromise.
Key factors include:
- What type of PHI was exposed? (Basic info vs. sensitive data like diagnoses or SSNs)
- Who accessed it? (A fellow healthcare provider vs. a cybercriminal)
- Was the PHI actually viewed or acquired?
- Was the breach mitigated? (e.g., device recovered, data deleted, etc.)
If the assessment suggests a low risk, notification might not be necessary. Otherwise, it’s legally required.
What Does “Unsecured PHI” Mean?
This rule applies specifically to unsecured PHI—meaning data that hasn’t been properly encrypted or destroyed in accordance with federal standards.
- Secured PHI (e.g., encrypted files) typically doesn’t trigger notification requirements—even if it’s stolen.
- Unsecured PHI (e.g., plain text files or unencrypted emails) does.
Example:
A stolen encrypted laptop? Likely not reportable.
An unencrypted flash drive that goes missing? You’ll need to notify.
Who Must Be Notified?
Once a breach is confirmed and deemed reportable, the law requires notifying several parties:
1. Affected Individuals
- Must be notified within 60 calendar days of breach discovery.
- Notification should be written in clear, non-technical language.
- Delivery: via first-class mail or email (if consented to).
2. The Department of Health and Human Services (HHS)
- If the breach affects 500 or more individuals, notify HHS within 60 days of discovery.
- For fewer than 500, report can be submitted annually, within 60 days of year-end.
3. The Media
- Required only if 500+ residents of a single state or jurisdiction are impacted.
- You must notify prominent media outlets in the affected region.
4. Business Associates’ Responsibilities
- Business associates must inform the covered entity of any breach they experience.
- The covered entity usually handles patient notifications, but this can vary depending on the contract.
What Goes in the Breach Notification?
HIPAA outlines specific elements that must be included in any breach notice:
- A brief but clear summary of what happened, including dates.
- What information was involved (e.g., medical conditions, insurance IDs).
- Steps individuals can take to protect themselves.
- What the organization is doing to mitigate damage and prevent recurrence.
- Contact info for questions: email, toll-free number, mailing address, website.
The tone should be plain, empathetic, and accessible—not buried in legalese.
Timing Is Everything
HIPAA takes deadlines seriously. Here’s the breakdown:
- Individual Notice: No later than 60 days after discovering the breach
- Media Notice (if needed): Same 60-day timeline
- HHS Notice:
- 500+ people: Within 60 days
- Fewer than 500: By March 1 of the following year
Exception: Law enforcement can request a delay if immediate notice would hinder a criminal investigation.
What Happens If You Don’t Comply?
Failure to meet Breach Notification requirements can lead to steep penalties—both financial and reputational.
Civil Monetary Penalties (2024 figures):
- Tier 1: $137 – $68,928 per violation (unintentional)
- Tier 2: $1,379 – $68,928 (reasonable cause)
- Tier 3: $13,785 – $68,928 (willful neglect, corrected)
- Tier 4: Minimum $68,928 (willful neglect, uncorrected)
Max penalty per violation category per year: $2,067,813
Case in point: In 2020, Premera Blue Cross paid $6.85 million after a data breach exposed information for over 10 million individuals due to a cyberattack.
Best Practices for Staying Compliant
Protecting PHI is a multi-layered effort. Here’s how to stay on the safe side:
- Encrypt everything—at rest and in transit.
- Use role-based access and multifactor authentication.
- Train your staff regularly—human error is still the top breach cause.
- Run frequent risk assessments to spot weak links.
- Have a breach response plan ready to go.
- Vet your business associates and ensure airtight contracts (BAAs).
- Log and monitor systems for suspicious activity.
HIPAA Breach Notification in a Cyber-Threat Era
Today’s healthcare threats are more sophisticated than ever: ransomware, phishing, insider misuse, cloud vulnerabilities—the list goes on. Even with the best defenses, no system is invulnerable.
That’s why the Breach Notification Rule is so crucial. It ensures organizations respond quickly, communicate transparently, and rebuild trust.
Final Thoughts
Data breaches in healthcare aren’t just technical failures—they’re trust failures. HIPAA’s Breach Notification Rule isn’t just about checking a box—it’s about respecting patients’ rights and preserving integrity in a highly sensitive industry.
Here’s what every organization should be doing:
- Know how to identify a breach.
- Understand your reporting obligations.
- Communicate clearly with patients.
- Continuously upgrade your security posture.
In the end, compliance protects more than just data—it protects people.
Security, AI Risk Management, and Compliance with Akitra!
In the competitive landscape of SaaS businesses, trust is paramount amidst data breaches and privacy concerns. Akitra addresses this need with its leading AI-powered Compliance Automation platform. Our platform empowers customers to prevent sensitive data disclosure and mitigate risks, meeting the expectations of customers and partners in the rapidly evolving landscape of data security and compliance. Through automated evidence collection and continuous monitoring, paired with customizable policies, Akitra ensures organizations are compliance-ready for various frameworks such as SOC 1, SOC 2, HIPAA, GDPR, PCI DSS, ISO 27001, ISO 27701, ISO 27017, ISO 27018, ISO 9001, ISO 13485, ISO 42001, NIST 800-53, NIST 800-171, NIST AI RMF, FedRAMP, CCPA, CMMC, SOX ITGC, and more such as CIS AWS Foundations Benchmark, Australian ISM and Essential Eight etc. In addition, companies can use Akitra’s Risk Management product for overall risk management using quantitative methodologies such as Factorial Analysis of Information Risks (FAIR) and qualitative methods, including NIST-based for your company, Vulnerability Assessment and Pen Testing services, Third Party Vendor Risk Management, Trust Center, and AI-based Automated Questionnaire Response product to streamline and expedite security questionnaire response processes, delivering huge cost savings. Our compliance and security experts provide customized guidance to navigate the end-to-end compliance process confidently. Last but not least, we have also developed a resource hub called Akitra Academy, which offers easy-to-learn short video courses on security, compliance, and related topics of immense significance for today’s fast-growing companies.
Our solution offers substantial time and cost savings, including discounted audit fees, enabling fast and cost-effective compliance certification. Customers achieve continuous compliance as they grow, becoming certified under multiple frameworks through a single automation platform.
Build customer trust. Choose Akitra TODAY! To book your FREE DEMO, contact us right here.
FAQs
Is media notification always required?
No. It’s only required if 500 or more residents in a specific state or jurisdiction are affected.
Are encrypted data breaches reportable?
Usually not—unless the encryption key was also compromised.
What should a business associate do if they detect a breach?
Notify the covered entity immediately, and no later than 60 days after discovery.
Is free credit monitoring required?
Not by HIPAA—but it’s commonly offered to affected individuals as a best practice.
