A security incident hits your health system on a Tuesday morning. Someone accessed a file containing protected health information, and now your compliance team is scrambling. The first question isn’t “what happened?” It’s “what do we have to do, and by when?” HIPAA’s breach notification framework answers that question with precision, and getting it wrong carries consequences that go well beyond regulatory fines.
Most covered entities understand that breaches require notification. Fewer understand exactly which breaches trigger the rule, which individuals and agencies must be told, and what the clock actually looks like from discovery to disclosure. The HHS Office for Civil Rights has published detailed guidance on this, but the plain-language interpretation of those rules is still misread in practice. Regulatory confusion compounds operational stress, and in our experience working with providers at every scale, that gap leads to missteps even at well-resourced organizations.
The HIT Community has covered HIPAA compliance for over a decade, including real breach case analyses, and Robert Claudio has documented some of the most instructive incidents in healthcare IT, from the Alaska Medicaid settlement that cost $1.7 million to smaller clinic-level incidents that never made headlines but still reshaped organizational policy. This post walks through what the Breach Notification Rule requires, what it doesn’t, and how patient communication, including through patient portals and patient gateway systems, fits into the compliance picture.
What Is the HIPAA Breach Notification Rule?
The Breach Notification Rule, enacted under HITECH and codified into HIPAA, requires covered entities and their business associates to notify affected individuals, HHS, and in some cases the media, following the discovery of a breach of unsecured protected health information. A “breach” is defined as the impermissible use or disclosure of PHI that compromises its security or privacy, unless an exception applies or a risk assessment demonstrates low probability of compromise.
Three core actors are involved: covered entities (hospitals, clinics, health plans, healthcare clearinghouses), business associates (vendors, contractors, cloud providers handling PHI on behalf of covered entities), and individuals whose data was exposed. The rule exists because patients have a fundamental right to know when their health data has been compromised, and because that knowledge lets them take protective action.
“The HIPAA Breach Notification Rule requires covered entities to notify affected individuals following a breach of unsecured protected health information without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.”
— U.S. Department of Health and Human Services, Office for Civil Rights
There are three exceptions to the definition of breach: unintentional acquisition or access by a workforce member acting in good faith, inadvertent disclosure between two authorized people at the same covered entity, and situations where the covered entity reasonably believes the unauthorized recipient couldn’t retain the information. Outside those narrow carve-outs, any impermissible disclosure triggers analysis.
What Are the Breach Notification Rule Requirements?
Covered entities must notify individuals, HHS, and potentially media outlets. For breaches affecting 500 or more residents of a state or jurisdiction, media notification is required in addition to individual notice. For breaches of any size, HHS must be notified. The content, timing, and method of notification each carry specific requirements.
Individual notices must be written in plain language and include the following:
- A description of what happened, including the date of the breach and discovery date if known
- The types of unsecured PHI involved, such as name, Social Security number, diagnosis, or financial account information
- Steps individuals should take to protect themselves from potential harm
- A brief description of what the covered entity is doing to investigate and mitigate the harm
- Contact information for the covered entity, including a toll-free number active for at least 90 days
Method matters. First-class mail is the default. If the covered entity has an email address on file and the individual agreed to receive electronic notices, email is permitted. Many organizations now use their patient portal or patient gateway system to deliver breach notices electronically, which is appropriate when those electronic contact preferences are on file. The notice still must meet every content requirement, even when delivered through platforms like the MGH Patient Gateway, MedStar Patient Portal, or BayCare Patient Portal.
According to the Breach Notification Rule, How Long Does an Agency Have to Report?
Covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering the breach. The clock starts at discovery, not confirmation. If you become aware that a breach may have occurred, that is the discovery date, even if investigation is ongoing.
The 60-day window is a maximum, not a target. Organizations that delay notification to complete a thorough investigation run real risk if that delay is deemed “unreasonable.” In practice, most compliance counsel recommends notifying as early as investigation allows, even if the full scope isn’t yet confirmed, with a follow-up notice if additional information comes to light.
For large breaches, 500 or more individuals, HHS notification is due contemporaneously with individual notice. For smaller breaches, covered entities may submit annual reports to HHS by 60 days after the close of the calendar year in which the breaches occurred. That annual log must include all breaches under 500 individuals discovered during that year.
Which HIPAA Rule Requires Determining Whether Unsecured PHI Was Compromised After an Incident?
The Breach Notification Rule itself governs this assessment. When an impermissible use or disclosure occurs, covered entities must perform a four-factor risk assessment to determine the probability that PHI has been compromised. This is not optional. All four factors must be evaluated, and the determination must be documented.
The four factors are:
- The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification
- Who used the PHI or to whom the disclosure was made, and whether that person had obligations to protect it
- Whether the PHI was actually acquired or viewed, or whether only the opportunity for access occurred
- The extent to which the risk has been mitigated, such as through satisfactory assurances from the recipient that data was destroyed
If analysis shows a low probability of compromise across all four factors, the incident may not constitute a reportable breach. But covered entities cannot skip the assessment and assume an exception applies. The Office for Civil Rights has made clear that organizations bear the burden of demonstrating that notification was not required. Documentation of the risk assessment is what protects you in an audit. Institutions we’ve observed across our network, from regional health systems to behavioral health providers, frequently underestimate how important that written record is until they’re sitting across from an OCR investigator.
A HIPAA Breach Affecting Fewer Than 500 Individuals: What’s Different?
Small-scale breaches follow the same content and method requirements for individual notice but allow a delayed reporting timeline to HHS. Rather than notifying HHS immediately, covered entities may log these incidents and submit them annually. The annual report is due within 60 days of the end of each calendar year. That means a breach discovered in February can be reported to HHS the following January, as long as individual notification still happens within 60 days of discovery.
One area that trips up smaller practices: the 500-person threshold applies per state, not per organization. A breach affecting 600 individuals across two states, 300 in each, triggers media notification in both states even though each state’s count is under 500. Know your patient geography before assuming you fall into the small-breach category.
Can Covered Entities Delegate Breach Notices to Business Associates?
Yes. Business associates that discover a breach must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. The covered entity retains primary responsibility for notifying individuals, but the parties can contractually agree that the business associate will provide the notices directly. That agreement must be explicit in the Business Associate Agreement.
In practice, delegation works well when the business associate has direct contact information for affected individuals and can deliver notices faster than routing everything through the covered entity. EHR vendors, billing platforms, and health information exchanges that handle data for multiple clients are common examples. If you’re using a patient portal solution like MHS Genesis, LabCorp’s patient portal, or a regional HIE with patient-facing access, confirm in your BAA exactly who holds notification responsibility and under what circumstances delegation applies.
“Business associates that experience a breach of protected health information must report the breach to the covered entity and may be contractually delegated to provide individual breach notifications directly.”
— National Library of Medicine, HIPAA Breach Notification Analysis
Patient Communication: Making Notifications Useful, Not Just Compliant
A breach notice that meets every legal requirement but reads like a legal disclaimer has failed half its purpose. Patients who receive impenetrable notices don’t take protective action. They don’t freeze their credit. They don’t monitor their accounts. Notification is only valuable when it informs.
Several practices make breach notices measurably more useful to patients:
- Lead with what was exposed in plain terms, “your name, date of birth, and diagnosis code were included in the file,” not “certain elements of PHI”
- Tell patients exactly what to do in three to five concrete steps, not a list of general recommendations
- Where appropriate, pre-enroll affected individuals in credit monitoring and include the access code in the letter
- Use the patient portal or patient gateway for supplemental communication, not as a substitute for mailed notice unless email consent is confirmed
- Follow up through secure messaging in the patient portal 30 days after the initial notice with a status update on remediation
- Provide a named point of contact, not a generic 800 number, to increase engagement and trust
Patient gateway systems, including platforms like the MGH Patient Gateway or Mayo Clinic’s patient portal, can support breach communication effectively when organizations have built out those communication workflows in advance. Organizations that treat their patient portal as a notification channel from the start, maintaining updated contact preferences and testing secure messaging workflows, have a measurable advantage when a breach event forces rapid communication. Organizations that discover their contact data is outdated in the middle of an incident face a much harder path. The HIT Community resource network has documented this pattern across multiple regional health systems, and the preparation gap is consistently the deciding factor in how smoothly notification proceeds.
Getting HIPAA breach notification right is not primarily a legal exercise. It’s an operational and communication challenge. The regulations set the floor. What you do above that floor determines whether your patients trust you after an incident or walk away from your practice. Invest in your breach response plan before you need it. Know your business associate agreements, document every risk assessment, and build patient notification into your patient gateway workflows now. The organizations that handle breaches with minimal reputational damage are the ones that treat this as infrastructure, not emergency response. Visit the HIT Community for implementation guides, peer-reviewed case studies, and templates from providers who have navigated exactly these situations.
