Understanding the HIPAA Breach Notification Rule
HIPAA Updates

Understanding the HIPAA Breach Notification Rule

By Devon Quick February 11, 2026 10 min read

Understanding the HIPAA Breach Notification Rule

What Every Healthcare Practice Needs to Know — Before It’s Too Late

If you work in healthcare, you’ve heard the term “HIPAA breach” tossed around. But do you know exactly what triggers the legal obligation to notify patients, the government, and potentially the media? And do you know what happens if you don’t?

The HIPAA Breach Notification Rule is one of the most consequential — and commonly misunderstood — components of HIPAA compliance. This post breaks down exactly how the rule works, what it requires, and what real-world failures have cost organizations that got it wrong.

What Is the HIPAA Breach Notification Rule?

Established under the Health Information Technology for Economic and Clinical Health (HITECH) Act and codified in the HIPAA Omnibus Rule, the Breach Notification Rule (45 CFR §§ 164.400–414) requires covered entities and their business associates to notify affected individuals, the U.S. Department of Health and Human Services (HHS), and in some cases the media, whenever unsecured Protected Health Information (PHI) is impermissibly used or disclosed.

The Office for Civil Rights (OCR) within HHS is responsible for enforcing the rule. Since the Privacy Rule’s compliance date in April 2003, OCR has received over 374,000 HIPAA complaints and has investigated and resolved more than 31,000 cases requiring corrective actions. (Source: HHS.gov, Enforcement Highlights)

What Counts as a “Breach”?

Not every security incident is a reportable breach. Under HIPAA, a breach is defined as an impermissible use or disclosure of PHI that poses a significant risk of financial, reputational, or other harm to the affected individual.

Three key factors determine whether an incident qualifies:

  1. Nature and extent of the PHI involved — Was the information sensitive enough to cause harm if disclosed?
  2. Who accessed the PHI — Did an unauthorized person view or acquire the data?
  3. Whether the PHI was actually acquired or viewed — Losing a device isn’t automatically a breach if there’s strong evidence the data was never accessed.

Exceptions to the Breach Definition

Not all impermissible disclosures require notification. HIPAA identifies three exceptions under §164.402:

  • Unintentional access by a workforce member acting in good faith within their scope of employment
  • Inadvertent disclosure between two authorized persons within the same organization
  • Good-faith belief that the unauthorized recipient could not reasonably have retained the information (e.g., a misdirected fax that was immediately destroyed)

Organizations that can document one of these exceptions may be able to avoid the full notification process — saving time, money, and reputational harm. However, the burden of proof falls on the covered entity.

The Four-Part Risk Assessment

When a potential breach occurs, HIPAA requires a four-factor risk assessment to determine whether notification is necessary:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
  2. Who used the information or to whom it was disclosed
  3. Whether the PHI was actually acquired or viewed
  4. The extent to which the risk has been mitigated (e.g., confidentiality agreements, return or destruction of the data)

If this assessment cannot demonstrate a low probability that the PHI was compromised, the incident must be treated as a reportable breach.

Who Must Be Notified — and When

The Breach Notification Rule establishes three tiers of notification, each with specific requirements.

1. Individual Notification (Always Required)

Affected individuals must be notified without unreasonable delay and no later than 60 days after the breach is discovered. Notification must be in writing — first-class mail is the default — and must include:

  • A description of what happened, including the date of the breach and the date of discovery
  • The types of PHI involved
  • Steps individuals should take to protect themselves
  • What the covered entity is doing to investigate, mitigate harm, and prevent future breaches
  • Contact information for individuals to ask questions

If contact information is outdated for 10 or more individuals, a substitute notice must be posted on the organization’s website or published in major print or broadcast media.

2. HHS Notification (Always Required)

All breaches must be reported to HHS through the OCR Breach Portal. The timing depends on the scale:

  • Breaches affecting 500 or more individuals must be reported to HHS contemporaneously (within the same 60-day window as individual notification)
  • Breaches affecting fewer than 500 individuals may be logged and reported to HHS annually — no later than 60 days after the end of the calendar year in which they occurred

Breaches of 500 or more are publicly listed on OCR’s Breach Portal, sometimes called the “Wall of Shame,” which is updated regularly and searchable by the public.

3. Media Notification (Conditional)

If a breach affects 500 or more residents of a single state or jurisdiction, the covered entity must also notify prominent media outlets in that area. This is often the requirement that catches organizations most off guard — a data breach can become a news story not by choice, but by law.

Penalties for Non-Compliance

The consequences for violating the Breach Notification Rule — whether by failing to notify at all or by notifying too late — can be severe. Civil penalties are tiered based on culpability:

Tier Description Penalty per Violation
1 Did not know and could not have known $100 – $50,000
2 Reasonable cause, not willful neglect $1,000 – $50,000
3 Willful neglect, corrected $10,000 – $50,000
4 Willful neglect, not corrected $50,000+

(Note: Penalty amounts are adjusted annually for inflation. As of 2024, the maximum per-violation penalty reaches over $2 million. Source: HIPAA Journal)

In addition to federal enforcement, state attorneys general can impose their own fines, which in some states can reach $10,000 per affected individual. Criminal penalties for intentional violations can include fines up to $250,000 and up to 10 years in prison.

Real-World Examples

Abstract rules become much more concrete when you see what non-compliance actually costs.

Anthem, Inc. (2015 Breach, $16M Settlement)

In 2015, a spear-phishing attack on a subsidiary gave attackers access to the ePHI of nearly 79 million individuals — one of the largest healthcare data breaches in history. OCR’s investigation found that Anthem had failed to conduct an enterprise-wide risk analysis, monitor system activity, or implement adequate access controls. Anthem ultimately paid $16 million to OCR and $115 million to settle a class-action lawsuit. (Source: Secureframe, HIPAA Violation Examples)

Montefiore Medical Center (2024, $4.75M Settlement)

An employee at Montefiore Medical Center was found to have unlawfully accessed and sold the PHI of at least 16,517 patients to an identity theft ring. OCR’s investigation revealed the breach had been occurring for nearly two years before it was discovered — raising serious questions about the organization’s access monitoring controls. The settlement totaled $4.75 million. (Source: networkintelligence.ai, HIPAA Enforcement Rule)

Blackbaud, Inc. (2020 Ransomware Breach, $49.5M Multistate Settlement)

Blackbaud, a software vendor serving thousands of nonprofits and healthcare organizations, suffered a ransomware attack in 2020 that resulted in data exfiltration before encryption. After paying the ransom, the company initially understated the extent of the breach in its public communications. The eventual settlement reached $49.5 million across multiple states, with California alone extracting $6.75 million. Regulators cited deficient security controls and inaccurate breach notifications as key violations. (Source: chartrequest.com, Top HIPAA Fines of 2024 and 2025)

Oklahoma State University – Center for Health Sciences (Hacking Breach)

OSU-CHS paid $875,000 to settle a breach resulting from a hacking incident that compromised the PHI of more than 14,000 patients. The case underscored how even mid-sized academic healthcare organizations are not immune to enforcement. (Source: Healthcare Compliance Pros)

Special Considerations for Small Practices

If you run a small healthcare practice, you might assume that OCR focuses its enforcement on large hospital systems and insurers. That’s a dangerous assumption. OCR actively investigates smaller providers, and the “Wall of Shame” is full of dental practices, small clinics, and solo providers who faced significant penalties.

A few realities for small practices to keep in mind:

You still have the 60-day clock. Whether you have 5 employees or 5,000, the notification timeline is the same. Having no dedicated compliance officer doesn’t pause the clock.

Business associates are on the hook too. If your EHR vendor, billing company, or any other business associate suffers a breach involving your patients’ PHI, they must notify you, and you are still responsible for notifying affected individuals. Having a solid Business Associate Agreement (BAA) in place — and understanding what it requires of each party — is essential.

Small breaches add up. Incidents involving fewer than 500 individuals can be logged and reported annually, but they must still be reported. Many small practices incorrectly assume that small incidents “don’t count.”

Encryption is your best friend. Unencrypted PHI on a stolen laptop is almost always a reportable breach. Properly encrypted data that is lost or stolen may not be — because encrypted data is considered “secured” PHI under HIPAA and falls outside the breach notification requirements entirely.

A Practical Breach Response Checklist

When a suspected breach occurs, acting quickly and methodically is everything. Here’s a simplified response framework:

  1. Contain the incident — Isolate affected systems, revoke compromised credentials, and stop the bleeding
  2. Conduct a risk assessment — Apply the four-factor test to determine whether the incident constitutes a reportable breach
  3. Document everything — Timestamps, decisions made, and the reasoning behind them matter enormously if OCR comes calling
  4. Notify affected individuals — Within 60 days, via first-class mail, using HIPAA-compliant notification content
  5. Report to HHS — Via the OCR Breach Portal, on the timeline appropriate to the size of the breach
  6. Notify media if required — For breaches affecting 500+ residents of a single state
  7. Review and remediate — Use the breach as a forcing function to strengthen your security posture

The Bottom Line

The HIPAA Breach Notification Rule exists to protect patients — but it also protects your practice. An organization that discovers a breach, responds swiftly, notifies appropriately, and documents its actions is in a fundamentally different legal position than one that delays, minimizes, or ignores the incident.

Some organizations have delayed notifying individuals about data breaches, increasing the risk of individuals’ data being used to commit identity theft or fraud before individuals have the opportunity to protect themselves. OCR takes those delays seriously. 2024 was one of the busiest years for HIPAA enforcement on record, with 22 investigations resulting in civil monetary penalties or settlements.

The trend is clear: enforcement is increasing, breaches are more frequent, and the cost of getting it wrong continues to climb. Building a culture of proactive compliance — not reactive damage control — is the only reliable path forward.

Sources

← Back to Blog