Instant downloadAuditor-writtenSecure Stripe checkout
HIPAA Breach Notification: Best 2026 Guide — ISO Toolkits

HIPAA Breach Notification: Best 2026 Guide

A HIPAA breach notification is the formal set of alerts a covered entity or business associate must send after protected health information (PHI) is compromised in a way that violates the HIPAA Privacy Rule. Under the US Health Insurance Portability and Accountability Act, these obligations are defined by the Breach Notification Rule and enforced by the HHS Office for Civil Rights (OCR). Getting the process right protects patients and reduces regulatory exposure.

This article explains who must notify, when, how, and what to document, with practical steps you can build into your incident response plan.

What triggers a HIPAA breach notification?

HIPAA defines a breach as the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of that information. “Unsecured” generally means PHI that has not been rendered unusable, unreadable, or indecipherable through encryption or destruction meeting HHS guidance.

Not every impermissible use or disclosure automatically requires a HIPAA breach notification. The rule presumes a breach unless the organization demonstrates a low probability that PHI was compromised, based on a documented risk assessment.

The four-factor risk assessment

To rebut the presumption of a breach, you assess at least four factors and record your conclusions:

  • The nature and extent of the PHI involved, including identifiers and the likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom it was disclosed.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk to the PHI has been mitigated.

Certain limited situations are excepted from the breach definition, such as good-faith, unintentional access by a workforce member acting within their authority, where the information is not further used or disclosed.

Who must be notified, and when

The Breach Notification Rule sets out distinct audiences and deadlines. Covered entities carry the primary notification duty; business associates must notify the covered entity so the entity can meet its obligations. These responsibilities should also be reflected in your Business Associate Agreements (BAAs).

RecipientWhen notice is requiredGeneral timing
Affected individualsAny breach of their unsecured PHIWithout unreasonable delay, and no later than 60 days after discovery
HHS Office for Civil Rights (large breaches)Breaches affecting 500 or more individualsWithout unreasonable delay, and no later than 60 days after discovery
HHS Office for Civil Rights (small breaches)Breaches affecting fewer than 500 individualsReported on an annual basis, within the timeframe HHS specifies after the calendar year ends
Prominent media outletsBreaches affecting more than 500 residents of a state or jurisdictionWithout unreasonable delay, and no later than 60 days after discovery
Covered entity (by a business associate)Breaches at or by the business associateWithout unreasonable delay, and no later than 60 days after discovery (or sooner if the BAA requires)

The clock generally starts when the breach is discovered, meaning the first day the organization knows, or by exercising reasonable diligence would have known, that it occurred.

What a HIPAA breach notification must contain

Individual notices should be written in plain language and, to the extent possible, include the core facts a person needs to protect themselves. At a minimum, aim to cover:

  • A brief description of what happened, including the dates of the breach and its discovery when known.
  • The types of PHI involved, such as names, diagnoses, financial data, or Social Security numbers.
  • Steps individuals can take to protect themselves from potential harm.
  • What the organization is doing to investigate, mitigate harm, and prevent recurrence.
  • Contact procedures, including a toll-free number, email, website, or postal address for questions.

Notices are usually sent by first-class mail, or by email where the individual has agreed to electronic notice. If contact information is out of date for a number of people, substitute notice methods such as a website posting or media notice may apply.

Documentation and the burden of proof

HIPAA places the burden of proof on the organization to show that required notifications were made, or that an impermissible use or disclosure did not rise to a reportable breach. Keep your risk assessments, timelines, notification copies, and delivery records. Strong documentation is often the difference between a defensible incident and an enforcement finding.

How the notification rule connects to the rest of HIPAA

Breach response does not stand alone. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI), plus a mandatory risk analysis that helps you identify vulnerabilities before they cause a breach. The Privacy Rule governs permitted uses and disclosures and the minimum-necessary standard, which shapes whether an event is even impermissible.

Encryption and secure destruction meeting HHS guidance can render PHI “secured,” which may remove an incident from the HIPAA breach notification requirements entirely. That is one reason safeguards and breach planning are best designed together.

Practical steps to prepare

  • Maintain a written incident response and breach notification procedure, and test it.
  • Define how “discovery” is logged so your 60-day clock is defensible.
  • Template your individual, media, and OCR notices in advance.
  • Confirm every vendor handling PHI has a current BAA with breach reporting terms.
  • Encrypt ePHI at rest and in transit to reduce reportable exposure.
  • Keep a mailing list and contact-update process for reliable individual notice.

Frequently asked questions

How long do I have to send a HIPAA breach notification?

Notifications to affected individuals must go out without unreasonable delay and no later than 60 calendar days after the breach is discovered. Breaches affecting 500 or more people also require OCR and media notice within that window, while smaller breaches are reported to OCR annually.

Is every impermissible disclosure a reportable breach?

No. HIPAA presumes a breach, but you can rebut that presumption with a documented four-factor risk assessment showing a low probability that PHI was compromised. Certain good-faith, internal access situations are also excepted.

Do business associates have to notify individuals directly?

Generally, a business associate notifies the covered entity of a breach, and the covered entity handles notification to individuals, OCR, and media. The exact division of duties should be spelled out in the BAA.

Does encryption remove the notification requirement?

If PHI is encrypted or destroyed to a standard meeting HHS guidance, it is considered “secured,” and its compromise typically does not trigger the Breach Notification Rule. Unencrypted, unsecured PHI does not receive this safe harbor.

This article is general guidance only and is not legal advice.

For the authoritative rules and current guidance, review the official HHS resource at HHS.gov HIPAA for Professionals.

HIPAA breach notification toolkit templates
The editable HIPAA Toolkit — breach notification procedures and notice letters.

Related guides

Our editable HIPAA (US) toolkit gives you ready-to-use breach notification procedures, risk assessment templates, and notice letters you can adapt in minutes. Get the HIPAA toolkit and make your incident response audit-ready.

Shopping Cart