The HIPAA Breach Notification Rule (45 CFR 164.400–414) requires covered entities and business associates to notify affected individuals within 60 calendar days of discovering a breach of unsecured protected health information (PHI). Any impermissible use or disclosure is presumed to be a breach unless a documented four-factor risk assessment (45 CFR 164.402) shows a low probability the PHI was compromised. Breaches affecting 500 or more individuals also trigger HHS and media notice within the same 60 days.
Key takeaways
- The clock is 60 calendar days from discovery — and “discovery” is the first day the breach is known, or would have been known through reasonable diligence, by any workforce member or agent (45 CFR 164.404(a)(2)).
- Every impermissible disclosure is presumed a breach. You avoid notification only by documenting a low probability of compromise via the four-factor test — or by showing an exception applies. The burden of proof is on you, and records must be kept for six years (45 CFR 164.414).
- 500 is two different counts. Media notice (164.406) turns on 500+ residents of a single state or jurisdiction; the contemporaneous HHS notice (164.408) turns on 500+ individuals in aggregate.
- Encryption is a genuine safe harbor. PHI rendered unusable per HHS-specified, NIST-validated methods is “secured” and its loss generally triggers no notice — unless the decryption keys were exposed too.
- HIPAA is a federal floor. All 50 states have concurrent breach-notification laws, several faster than 60 days, that are not preempted where stricter.
What the HIPAA Breach Notification Rule actually is (45 CFR 164.400–414)
The HIPAA Breach Notification Rule is Subpart D of the HIPAA regulations, codified at 45 CFR 164.400–414. It was added by the HITECH Act of 2009 and requires HIPAA-regulated organizations to notify affected people, the U.S. Department of Health and Human Services (HHS), and in some cases the media when unsecured protected health information is breached. It binds both covered entities (health plans, clearinghouses, and most healthcare providers) and their business associates — the vendors and subcontractors, including most B2B SaaS and cloud-hosted health platforms, that create, receive, maintain, or transmit PHI on a covered entity's behalf. If your product handles PHI, these obligations reach you through your HIPAA compliance audit services scope and your business associate agreements.
Two design choices in the rule shape everything that follows. First, it applies only to unsecured PHI — PHI that has not been rendered unusable through an HHS-approved method (see the encryption safe harbor below). Second, it operates on a presumption of breach: an impermissible use or disclosure is assumed to require notification unless you can prove otherwise. That inverts the intuition many engineering teams start with. You are not asked to prove harm occurred; you are asked to prove the probability of compromise was low.
Breach vs. security incident vs. impermissible disclosure
These three terms are routinely conflated, and the distinction is a real compliance trap. A security incident under the Security Rule (45 CFR 164.308(a)(6)) is any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations. Most incidents — a blocked port scan, a quarantined phishing email — are not breaches. A breach is a narrow subset: an impermissible use or disclosure of unsecured PHI that is presumed to compromise it. The four-factor risk assessment is the bridge between the two: it is how you decide whether a given incident crosses into breach territory.
| Attribute | Security incident (164.308(a)(6)) | Reportable breach (164.400–414) |
|---|---|---|
| Scope | Any unauthorized access or system interference, attempted or successful | Impermissible use/disclosure of unsecured PHI, presumed to compromise it |
| Trigger | Detection of the event by monitoring or report | Discovery of a breach of unsecured PHI |
| Notification | Internal handling per incident-response procedures | Individuals within 60 days; HHS and media per threshold |
| Documentation | Response and outcome logged | Four-factor assessment, decision, and notices retained 6 years |
The Security Rule's incident-response procedures (164.308(a)(6)) sit upstream of the Breach Notification Rule. If you are building those procedures, our HIPAA technical safeguards checklist covers the encryption and access controls that create the breach safe harbor, and the ongoing HIPAA Security Risk Assessment (45 CFR 164.308(a)(1)) is a separate, enterprise-wide exercise — not to be confused with the incident-specific four-factor breach assessment described here.
What counts as a “breach” under 45 CFR 164.402
Under 45 CFR 164.402, a breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. The operative clause, 164.402(2), then adds the presumption: such an impermissible use or disclosure “is presumed to be a breach unless the covered entity or business associate… demonstrates that there is a low probability that the [PHI] has been compromised” based on a risk assessment of at least four factors.
Unsecured vs. secured PHI and the encryption safe harbor
The rule reaches only unsecured PHI. Under the HITECH Act §13402(h) and the accompanying HHS Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable, PHI is “secured” only if it is encrypted using NIST-validated methods or destroyed per NIST media-sanitization guidance. When PHI is properly secured, its loss generally does not trigger notification — this is the encryption safe harbor. The critical caveat: the safe harbor fails if the decryption keys were exposed alongside the data, or if encryption was disabled or misconfigured.
| State of PHI | HHS-specified method | Meets “secured” safe harbor? | Notice if compromised? | Caveat |
|---|---|---|---|---|
| Data at rest, encrypted | NIST SP 800-111 (full-disk / file encryption) | Yes | Generally no | Fails if keys were also exposed |
| Data in transit, encrypted | FIPS 140-2/140-3 validated processes; NIST SP 800-52, 800-77 | Yes | Generally no | Fails if TLS misconfigured or downgraded |
| Media destroyed | NIST SP 800-88 media sanitization | Yes | No | Paper must be shredded/incinerated |
| Plaintext / redaction only | None (access controls, redaction, de-identification not sufficient as “secured”) | No | Yes — run the four-factor test | Encryption at rest but decrypted at time of access is unsecured |
The three exceptions to the definition of breach
Even for unsecured PHI, 45 CFR 164.402(1) carves out three exceptions where an impermissible use or disclosure is not a breach. If one applies, you do not reach the four-factor test at all — but you should still document why the exception was met.
| Exception | CFR cite | Plain-language scenario | Condition that must hold | Common misapplication |
|---|---|---|---|---|
| Good-faith workforce access | 164.402(1)(i) | A nurse opens the wrong patient's chart by mistake, then closes it | Unintentional, good faith, within scope of authority; no further impermissible use | Claiming it when the person had no authority to access PHI at all |
| Inadvertent internal disclosure | 164.402(1)(ii) | One authorized clinician forwards PHI to another authorized colleague in the same practice | Both persons authorized at the same CE, BA, or OHCA; no further impermissible use | Applying it across separate legal entities |
| Recipient could not retain | 164.402(1)(iii) | A mailing is opened and immediately returned unread, or a screen glimpse is fleeting | Good-faith belief the unauthorized recipient could not reasonably have retained the information | Assuming a lost laptop or emailed file “could not be retained” |
The four-factor risk assessment (45 CFR 164.402)
When an impermissible use or disclosure of unsecured PHI occurs and no exception applies, the presumption of breach stands unless you document a low probability of compromise across at least four factors. One important nuance HHS makes explicit: the full assessment is not required when PHI is obviously compromised — an entity may skip the analysis and go straight to notification. The four-factor test exists to justify not notifying, not to delay notice when the answer is already clear.
Factor 1 — nature and extent of the PHI and identifiers
Evaluate what data was involved and how identifiable it is: the specific identifiers (name, SSN, diagnosis, financial data), the sensitivity of the clinical information, and the likelihood the information could be re-identified. A spreadsheet of names with sensitive diagnoses raises probability; a list of appointment times without names lowers it.
Factor 2 — the unauthorized person
Consider who used the PHI or received the disclosure. Disclosure to another HIPAA-obligated entity (bound by its own duties) lowers probability; disclosure to an unknown external actor, or one with the ability and motive to re-identify data, raises it.
Factor 3 — whether PHI was actually acquired or viewed
Determine whether the PHI was in fact accessed, not merely exposed to the possibility of access. Forensic evidence that a stolen laptop was never powered on, or that a mailed packet was returned unopened, can support a low-probability finding. An open ransomware exfiltration channel points the other way.
Factor 4 — extent of mitigation
Assess the mitigation obtained — for example, satisfactory written assurances from the recipient that the PHI was destroyed or will not be further used or disclosed. Strong, verifiable mitigation lowers probability; unverifiable assurances carry little weight.
| # | Factor | What to evaluate | Raises probability | Lowers probability |
|---|---|---|---|---|
| 1 | Nature & extent of PHI | Identifiers involved, sensitivity, re-identification risk | SSNs, diagnoses, financial data | Limited, low-sensitivity data with no direct identifiers |
| 2 | Unauthorized person | Who received or used the PHI, and their obligations | Unknown external actor with motive | Another HIPAA-obligated entity |
| 3 | Actually acquired/viewed | Whether PHI was in fact accessed vs. merely exposed | Confirmed exfiltration or viewing | Forensics show no access (device never opened) |
| 4 | Extent of mitigation | Assurances of destruction / non-use obtained | No mitigation or unverifiable claims | Verified destruction, signed attestation |
Worked example: laptop loss, misdirected email, and ransomware side by side
The same framework yields very different answers. A lost laptop with full-disk encryption (NIST SP 800-111) and no exposed keys is secured — the safe harbor applies and you likely never reach the four factors. A misdirected email of unsecured PHI to a known, trusted partner who confirms deletion scores low on Factors 2 and 4 and may support a low-probability finding. A ransomware event with exfiltration of unencrypted records scores high on every factor: sensitive identifiers, an unknown hostile actor, confirmed acquisition, and no meaningful mitigation. HHS has stated that ransomware affecting unsecured ePHI is presumed a breach absent a demonstrated low probability of compromise — a high bar once data leaves your environment.
Notification obligations and deadlines at a glance
Once you conclude a breach occurred, the rule prescribes distinct recipients, triggers, and deadlines. Note the two different “500” counts: media notice under 164.406 turns on 500+ residents of a single state or jurisdiction, while the contemporaneous HHS notice under 164.408 turns on 500+ individuals in aggregate.
| Recipient | Trigger / threshold | Deadline | CFR section | Method |
|---|---|---|---|---|
| Affected individuals | Any breach of their unsecured PHI | Without unreasonable delay; ≤ 60 calendar days from discovery | 164.404 | Written notice by first-class mail (or email if agreed) |
| Prominent media | 500+ residents of one state/jurisdiction | Without unreasonable delay; ≤ 60 calendar days | 164.406 | Press release to media serving that state/jurisdiction |
| HHS Secretary (500+) | 500+ individuals in aggregate | Contemporaneously with individuals; ≤ 60 days | 164.408 | Electronic submission via the HHS breach portal |
| HHS Secretary (<500) | Fewer than 500 individuals | Annually; ≤ 60 days after calendar year-end (by March 1) | 164.408 | Annual log submitted via the HHS breach portal |
| Business associate → covered entity | BA discovers a breach | Without unreasonable delay; ≤ 60 days (BAA may shorten) | 164.410 | Notice to the covered entity per the BAA |
Notifying affected individuals — the 60-day rule and required letter content (164.404)
Under 45 CFR 164.404, individual notice must go out without unreasonable delay and in no case later than 60 calendar days after discovery. Crucially, a breach is “discovered” on the first day it is known, or would have been known through the exercise of reasonable diligence, by any workforce member or agent (164.404(a)(2)) — you cannot restart the clock by looking away. The notice content is prescribed by 164.404(c).
| Element | CFR cite | Notes |
|---|---|---|
| Brief description of what happened + dates | 164.404(c)(1)(A) | Include date of breach and date of discovery if known |
| Types of unsecured PHI involved | 164.404(c)(1)(B) | e.g., name, SSN, diagnosis, account number |
| Steps individuals should take | 164.404(c)(1)(C) | How to protect themselves from harm |
| What the entity is doing | 164.404(c)(1)(D) | Investigation, mitigation, prevention of recurrence |
| Contact procedures | 164.404(c)(1)(E) | Toll-free number, email, website, or postal address |
The 500-individual threshold — media notice (164.406) and contemporaneous HHS notice (164.408)
For a breach affecting 500 or more residents of a state or jurisdiction, 164.406 requires notifying prominent media outlets serving that area, within the same 60-day window. Separately, 164.408 requires that breaches affecting 500 or more individuals in aggregate be reported to HHS contemporaneously with individual notice. These 500+ breaches are then published on the public HHS OCR Breach Portal — informally the “Wall of Shame” — which lists the entity, dates, number affected, breach type, and location of the breached information.
Breaches under 500 — annual HHS reporting by March 1 (164.408)
For breaches affecting fewer than 500 individuals, HHS may be notified on an annual basis, no later than 60 days after the end of the calendar year in which the breaches were discovered — in practice, by March 1. Individual notice for these smaller breaches is still due within the standard 60 days; only the HHS report is deferred.
When a business associate has the breach (164.410)
A business associate must notify the affected covered entity without unreasonable delay and no later than 60 calendar days after discovery (45 CFR 164.410); most BAAs contractually shorten this. Who starts the covered entity's 60-day clock depends on agency: if the BA is the covered entity's agent (under the federal common law of agency), the BA's discovery is imputed to the covered entity, so its clock starts then. If the BA is an independent contractor, the covered entity's clock generally starts when it is actually notified. This distinction is often glossed over and matters enormously for cloud vendors — see our guidance on breach obligations for BAs and cloud-hosted health apps.
Substitute notice, law-enforcement delay (164.412), and the 6-year burden-of-proof rule (164.414)
Where 10 or more individuals have insufficient or out-of-date contact information, 164.404(d) requires substitute notice: a conspicuous website posting for 90 days or notice in major print/broadcast media, plus a toll-free number active at least 90 days. Under 164.412, notification may be delayed if a law-enforcement official states that notice would impede an investigation. And under 164.414 (with 164.530(j)), the burden of proof that notification was not required — or that an exception applied — rests on the covered entity or business associate, and all risk assessments and decisions must be documented and retained for six years.
The incident-to-notification decision clock, day by day
The 60-day maximum is not a target; it is an outer limit. Enterprise buyers and OCR both look for evidence of a disciplined, documented sequence. The timeline below assumes a mid-size breach where the four-factor assessment concludes notification is required.
| Day (from discovery) | Required action | Owner | CFR cite |
|---|---|---|---|
| Day 0 | Discovery: event known or knowable via reasonable diligence; contain and preserve evidence | Security / IR lead | 164.404(a)(2), 164.308(a)(6) |
| Days 1–3 | Confirm unsecured PHI involved; check encryption safe harbor and exceptions | Privacy officer | 164.402, 164.402(1) |
| Days 3–10 | Run and document the four-factor risk assessment; decide notify vs. low-probability | Privacy officer + counsel | 164.402(2) |
| Days 10–20 | Determine thresholds (500 aggregate; 500 per jurisdiction); check state-law deadlines | Counsel | 164.406, 164.408 |
| Days 20–55 | Draft and send individual letters; prepare media release and HHS submission if 500+ | Comms + privacy officer | 164.404(c), 164.406 |
| ≤ Day 60 | Individual notice sent; HHS notified (contemporaneous if 500+); log for annual filing if <500 | Privacy officer | 164.404, 164.408 |
| Ongoing | Remediate root cause; retain assessment and notices for 6 years | Security + compliance | 164.414, 164.530(j) |
What OCR looks for — and the cost of getting it wrong
Enforcement of the Breach Notification Rule sits with the HHS Office for Civil Rights (OCR). Investigations frequently follow a portal filing, a patient complaint, or media coverage, and OCR's recurring themes are consistent: no timely notice, no or inadequate risk analysis, missing encryption, and weak access controls. The public breach portal makes large breaches visible to customers and competitors alike, and it has anchored some of the largest incidents on record — the Change Healthcare breach reported in 2024, which affected on the order of 190 million individuals after attackers reached a server that lacked multi-factor authentication, is the canonical modern example of how a single unremediated control gap becomes a headline event.
Civil monetary penalties are tiered by culpability and adjusted annually for inflation. Effective January 28, 2026 (Federal Register 2026-01688), the inflation-adjusted amounts are as follows.
| Tier | Culpability standard | Per-violation minimum | Per-violation maximum | Effective annual cap* |
|---|---|---|---|---|
| Tier 1 | Did not know (and would not have known with reasonable diligence) | $145 | $73,011 | $25,000 (per 2019 discretion) |
| Tier 2 | Reasonable cause, not willful neglect | $1,461 | $73,011 | $100,000 (per 2019 discretion) |
| Tier 3 | Willful neglect, corrected within 30 days | $14,602 | $73,011 | $250,000 (per 2019 discretion) |
| Tier 4 | Willful neglect, not corrected | $73,011 | $73,011 | $2,190,294 |
*A critical caveat competitors often miss: OCR's 2019 Notice of Enforcement Discretion — which OCR has not rescinded — caps the annual penalty for Tiers 1 through 3 at $25,000, $100,000, and $250,000 respectively per identical provision. So the headline statutory cap of $2,190,294 effectively applies only to Tier 4 (uncorrected willful neglect). Beyond penalties, OCR resolutions typically require a multi-year corrective action plan, and several recent OCR settlements have specifically targeted HIPAA violations that enabled ransomware.
HIPAA vs. state breach-notification laws: a floor, not a ceiling
A HIPAA-only response can still miss a legal deadline, because HIPAA is a federal floor, not a ceiling. All 50 states have their own data-breach notification statutes that run concurrently with HIPAA and are not preempted where they are stricter. Several impose faster clocks than 60 days — commonly “without unreasonable delay” with hard outer limits of 30 to 45 days — and many require notifying the state attorney general (and sometimes state regulators or consumer-reporting agencies) once a threshold count is reached. Some cover categories of personal data that HIPAA does not. For a US B2B or healthtech company, the practical rule is to map the residency of every affected individual and satisfy the strictest applicable clock, then meet HIPAA's requirements on top of that.
How this connects to HIPAA in 2026: the Security Rule NPRM and recent case law
Two 2025 developments frame the current state of HIPAA and should inform any 2026 breach-readiness program — but both must be stated precisely, because neither has changed the operative rules yet.
On January 6, 2025, OCR published a Notice of Proposed Rulemaking (NPRM) to modernize the Security Rule. The proposal would make all implementation specifications mandatory (removing the “addressable” distinction) and expressly require encryption of ePHI at rest and in transit, multi-factor authentication, asset inventories, six-month vulnerability scans, annual penetration testing, and 72-hour restoration of critical systems. The comment period closed March 7, 2025, and OCR received roughly 4,700 comments. As of mid-2026, this remains a proposal — no final rule has issued, and a Spring 2026 target on the regulatory agenda passed without publication. Treat it as a strong signal of direction, not a current obligation, and avoid any assumption of an effective date.
Separately, the 2024 HIPAA Reproductive Health Privacy Rule — which had added attestation and disclosure requirements — was vacated nationwide on June 18, 2025 in Purl v. HHS (N.D. Tex.), so those specific requirements are no longer mandatory. Noting this keeps a 2026 guide accurate; a page that still treats that rule as binding would be out of date.
Breach notification across frameworks: HIPAA vs. GDPR vs. SOC 2
If you sell into both US healthcare and EU markets, you will juggle more than one breach regime at once. They differ not just in clock length but in the trigger standard and who starts the clock. For a deeper mapping, see how HIPAA breach notification compares to GDPR's 72-hour rule and SOC 2 incident response.
| Dimension | HIPAA (164.400–414) | GDPR (Art. 33/34) | SOC 2 (Trust Services Criteria) |
|---|---|---|---|
| Trigger standard | Presumption of breach; rebut with low probability of compromise | “Risk to the rights and freedoms” of individuals | Control commitments in the system description |
| Clock start | Discovery (knowable via reasonable diligence) | Awareness of the breach | Per your own documented policy |
| Deadline to regulator | 60 days (500+); annual if <500 | 72 hours to the supervisory authority (GDPR Art. 33) | No statutory deadline; tested against commitments |
| Processor / vendor timing | BA: ≤ 60 days to covered entity (164.410) | Processor: “without undue delay” to controller | Per contractual and control obligations |
| Nature | Legal obligation | Legal obligation | Attestation of SOC 2 incident response controls (CC7.3, CC7.4, CC7.5) |
A defensible breach-response readiness checklist (auditor's view)
From the perspective of a firm that tests these controls, a defensible program looks the same across clients. It has a written incident-response procedure (164.308(a)(6)) that names owners and hands off cleanly to a breach-assessment workflow. It encrypts ePHI at rest and in transit using NIST-validated methods and manages keys separately, so the safe harbor holds. It maintains a template four-factor assessment so no one improvises under pressure, and it retains every assessment and decision for six years. It keeps a current inventory of business associates with BAAs that shorten the 60-day notice window and clarify agent status. And it pre-maps state-law deadlines and attorney-general notice triggers for the states where its users reside. Test each of these before an incident, not during one.
Frequently asked questions
What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule (45 CFR 164.400–414) requires covered entities and business associates to notify affected individuals, HHS, and sometimes the media when unsecured protected health information is breached. An impermissible use or disclosure is presumed to be a breach unless a documented four-factor risk assessment shows a low probability that the PHI was compromised.
What is the deadline to report a HIPAA breach?
Affected individuals must be notified without unreasonable delay and no later than 60 calendar days after a breach is discovered (45 CFR 164.404). Breaches affecting 500 or more individuals must be reported to HHS and prominent media within the same 60 days. Breaches under 500 are reported to HHS annually, within 60 days of the calendar year's end, in practice by March 1.
What are the four factors in a HIPAA breach risk assessment?
Under 45 CFR 164.402, the four factors are: (1) the nature and extent of the PHI, including identifiers and re-identification risk; (2) the unauthorized person who used or received it; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated. Together they determine the probability that the PHI was compromised.
When does a HIPAA breach have to be reported to HHS (the 500 rule)?
A breach affecting 500 or more individuals must be reported to HHS at the same time as individuals, within 60 calendar days of discovery, and appears on the public OCR Breach Portal. Breaches affecting fewer than 500 individuals may be logged and reported to HHS once a year, no later than 60 days after the end of the calendar year in which they were discovered.
What is the difference between a HIPAA security incident and a breach?
A security incident (45 CFR 164.308(a)(6)) is any attempted or successful unauthorized access, use, or disruption of a system, and most are not reportable. A breach (45 CFR 164.402) is a subset: an impermissible use or disclosure of unsecured PHI that is presumed to compromise it unless a four-factor risk assessment proves a low probability of compromise.
What is the HIPAA encryption safe harbor?
If PHI is rendered unusable, unreadable, or indecipherable through HHS-specified, NIST-validated encryption or destruction, it is secured, and its loss generally does not trigger breach notification. The safe harbor does not apply if the decryption keys were exposed alongside the data or if encryption was disabled or misconfigured.
Who must notify whom when a business associate has a breach?
A business associate must notify the affected covered entity of a breach without unreasonable delay and no later than 60 calendar days after discovery (45 CFR 164.410); the business associate agreement often shortens this. The covered entity then notifies individuals, HHS, and media as required, so business associate delays can consume the covered entity's own 60-day clock.
Do state breach-notification laws also apply?
Usually yes. HIPAA is a federal floor, not a ceiling. All 50 states have their own breach-notification statutes that run concurrently with HIPAA and are not preempted where they are stricter. Several require faster notice, often 30 to 45 days, and some require notifying the state attorney general, so a HIPAA-only response can still miss a state deadline.
Sources & further reading
- U.S. Department of Health & Human Services — Breach Notification Rule (overview of 45 CFR 164.400–414, the four-factor assessment, and exceptions).
- eCFR — 45 CFR Part 164, Subpart D (Notification in the Case of Breach of Unsecured PHI), including §§164.402, 164.404, 164.406, 164.408, 164.410, 164.412, 164.414.
- HHS OCR — Breach Portal: Notice to the Secretary of HHS Breach of Unsecured PHI.
- Federal Register — HIPAA Security Rule NPRM (proposed, Jan. 6, 2025).
Is your breach-response plan defensible?
Auditsuisse is a US & Swiss licensed CPA firm. We test whether your incident-response procedures, encryption safe harbor, and four-factor workflow would hold up under OCR scrutiny — see our HIPAA compliance audit services or book a scoping call.
Request Consultation