HIPAA Breach Notification Guide: The 60-Day Rule Explained
The HIPAA breach notification rule requires covered entities and their business associates to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, following a breach of unsecured protected health information (PHI). The 60-day rule establishes the outer boundary for individual notification: covered entities must notify affected individuals no later than 60 calendar days after discovering a breach. This guide covers the notification triggers, risk assessment methodology, tiered notification requirements, and the documentation that OCR investigators expect to find.
What triggers the HIPAA breach notification requirement?
Under HIPAA, a breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI. The Breach Notification Rule (45 CFR 164.400-414) presumes that any impermissible use or disclosure of PHI is a breach unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised based on a risk assessment.
The risk assessment considers four factors: the nature and extent of the PHI involved, the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated. Only if the assessment demonstrates a low probability of compromise can the entity avoid notification. The burden of proof rests on the covered entity.
Three exceptions exist where an impermissible use or disclosure does not constitute a breach: unintentional acquisition by a workforce member acting in good faith and within scope, inadvertent disclosure between authorized persons at the same entity, and situations where the recipient could not reasonably retain the information.
How does the four-factor risk assessment work?
The four-factor risk assessment required by 45 CFR 164.402(2) is the most critical step in the breach determination process. Each factor must be evaluated and documented, regardless of the outcome.
| Factor | Assessment Questions | Higher Risk Indicators |
|---|---|---|
| Nature and extent of PHI | What types of identifiers were involved? How many records? | SSN, financial data, clinical diagnoses, mental health records |
| Unauthorized person | Who received or accessed the PHI? Are they a covered entity? | Unknown external party, competitor, public exposure |
| Actual acquisition or viewing | Was the PHI actually viewed, or only potentially accessible? | Confirmed viewing, data exfiltration, downloaded files |
| Mitigation extent | What steps were taken to reduce the risk? | Unable to contact recipient, data already shared further |
What are the tiered notification requirements based on breach size?
HIPAA imposes different notification procedures depending on the number of individuals affected. Understanding these tiers is essential for planning your response.
For breaches affecting 500 or more individuals in a state or jurisdiction, three notifications are required: individual notice within 60 days, HHS notification within 60 days via the HHS breach portal, and prominent media notification to major media outlets serving the affected state or jurisdiction. These breaches are posted on the HHS "Wall of Shame" — the publicly searchable HHS Breach Portal.
For breaches affecting fewer than 500 individuals, individual notice is still required within 60 days, but HHS notification may be submitted annually, no later than 60 days after the end of the calendar year in which the breach was discovered. Media notification is not required for smaller breaches.
Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery. The business associate agreement may specify shorter timelines. Many covered entities now require 24-48 hour notification from business associates.
What must the individual notification letter contain?
The Breach Notification Rule specifies the content that individual notification letters must include. Missing any required element can trigger an OCR enforcement action independent of the breach itself.
- A brief description of what happened, including the date of the breach and the date of discovery
- A description of the types of unsecured PHI involved (such as name, SSN, date of birth, diagnosis)
- Steps individuals should take to protect themselves from potential harm
- A brief description of what the covered entity is doing to investigate, mitigate, and prevent future breaches
- Contact procedures including a toll-free telephone number, email address, postal address, or website
The notification must be written in plain language. For individuals whose contact information is insufficient or out of date, substitute notice procedures apply, including a toll-free number for 90 days and, for breaches affecting more than 10 individuals, conspicuous posting on the entity's website or in major media.
How does the HIPAA timeline compare to other regulatory deadlines?
Organizations subject to HIPAA often face overlapping notification requirements from other regulations. Understanding these parallel timelines prevents meeting one deadline while missing another.
| Regulation | Notification Deadline | Notification Recipient |
|---|---|---|
| HIPAA | 60 calendar days from discovery | Individuals, HHS, media (if 500+) |
| GDPR Article 33 | 72 hours from awareness | Supervisory authority |
| SEC Item 1.05 | 4 business days from materiality determination | SEC via 8-K filing |
| State breach laws | Varies (24 hours to 90 days) | State AG, individuals |
| DORA (EU) | 4 hours initial, 72 hours intermediate | Financial supervisory authority |
A healthcare organization that processes EU patient data could face simultaneous HIPAA and GDPR notification obligations with dramatically different timelines. The IR-OS regulatory deadline tracker manages these overlapping windows in a single dashboard, ensuring no deadline is missed regardless of jurisdictional complexity.
What documentation should you maintain for OCR investigations?
The Office for Civil Rights (OCR) enforces HIPAA through complaint investigations, compliance reviews, and audits. Organizations should maintain breach documentation for a minimum of six years, as required by the HIPAA Administrative Simplification regulations.
Essential documentation includes the four-factor risk assessment for every potential breach, the incident timeline from detection through resolution, evidence of notification (individual letters, HHS portal submission, media notices), remediation actions taken and their completion status, and any policy or procedure changes resulting from the incident.
The HHS breach notification guidance provides additional detail on documentation expectations. Organizations using a CIRM platform benefit from having this documentation captured automatically in the incident workflow rather than assembled retrospectively.
OCR settlement amounts for breach notification failures have increased substantially in recent years. The consistent factor in high-penalty cases is not the breach itself but the absence of documented risk assessments and timely notification procedures.
Frequently Asked Questions
Does encryption prevent HIPAA breach notification requirements?
If PHI is encrypted in accordance with NIST guidance and the encryption key has not been compromised, the data is considered "secured" under the Breach Notification Rule and notification is not required. The encryption must meet the specifications in the HHS guidance on rendering PHI unusable, unreadable, or indecipherable. If the encryption key was also compromised, the PHI is considered unsecured and notification applies.
Can a business associate notify individuals directly?
By default, the notification obligation falls on the covered entity, not the business associate. However, the business associate agreement may delegate notification responsibilities to the business associate. Even with delegation, the covered entity retains ultimate responsibility for ensuring that notification occurs within the required timeframe.
What if the breach involves both HIPAA and state breach law?
Organizations must comply with both HIPAA and applicable state breach notification laws. State laws may impose shorter timelines, broader definitions of personal information, or additional notification recipients (such as the state attorney general). When requirements conflict, the more protective standard generally applies. Coordinating these parallel obligations is one of the primary functions of a CIRM platform.
Manage HIPAA notification timelines with confidence
IR-OS tracks the 60-day clock alongside all other regulatory deadlines and produces the documentation OCR expects.
Start free