COVID-19 has had nearly the whole world under lockdown for quite some weeks now. While the world is still reeling from its deadly effects, parts of the world are opening up again. Nevertheless, the war against the novel coronavirus is far from over. Even though the U.S. healthcare system is being tested to its limits, hackers are not giving the medical profession a break. The HHS (Department of Health and Human Services) has received reports of over 30 data breaches already this year, compromising the data of over 1 million people, and it has only been three months since the year began. Thus, it is crucial for healthcare organizations to know about the HIPAA Breach Notification Rule and ensure compliance at all times.

HIPAA Breach Notification Rule

HIPAA legislation covers what rules and regulations to follow after a breach. The HIPAA Breach Notification Rule mandates covered entities and their business associates to notify after a breach of unsecured protected health information (PHI). 

After a data breach of unsecured PHI, covered entities are required to notify three parties – the patients whose data has been compromised, the Secretary, and the media (when applicable). Business associates are required to notify the covered entities they’re working with if a data breach happens at their end or by them.

HIPAA Compliance Management Application

Reduce Administrative Burden

See all the information in a centralized space

Keep your team updated with regular information

Contact Us

Requirements of the HIPAA Breach Notification Rule


Provide individual notice to affected individuals

Covered entities are required to notify the patients whose data has been compromised as a result of a data breach. The covered entities need to notify each individual via first-class mail, or if the patient has agreed, via email. 

The affected individuals have to be notified within 60 days without any unreasonable delays, with the deadline starting from the discovery of the breach. The notification must also state a description of:

  • The data breach itself
  • The information compromised by the breach
  • The steps affected patients should take
  • The steps the covered entity will take to inspect the breach, mitigate adverse effects, and prevent further incidents
  • Contact information 

Although the responsibility falls onto covered entities to notify affected individuals, they may assign their business associates, where appropriate, to inform the affected individuals. This is based on factors such as which organization deals directly with the individuals and what functions the business associate performs for the covered entity.

Provide notice to media in certain cases

Media outlets must be notified regarding data breach cases where it affects 500 or more individuals. The applicable media outlets are those that are within the same State or jurisdiction as the organization. Usually, covered entities notify the media outlets via a press release. The media must be notified within 60 days of detection of the breach.

Notify the Secretary via HHS

As well as notifying the affected individuals, media outlets (if it impacts over 500 individuals), the third entity to notify regarding the data breach is the Secretary of breaches of unsecured PHI. It can be done using the HHS website and filling out the appropriate form.

The notification period depends on the number of individuals affected by the data breach. If it affects over 500 patients, the covered entity is required to notify the Secretary, without invalid delays, within 60 days of detection of the breach. If the data breach affects less than 500 individuals, the covered entity needs to notify the Secretary annually – this is due no later than 60 days after the calendar year ends in which the breach is detected.

When do business associates need to notify?

When a data breach occurs at or by a business associate, it needs to notify the covered entity after detecting the breach within 60 days and without invalid delays. It also needs to provide the covered entity, in a detailed manner, if possible: 

  • The identities of the affected individuals
  • Any other information that the covered entity must inform the individuals about.

Simplify HIPAA compliance

As can be seen, HIPAA compliance is a multi-layered, complex, and continuous process. The checklist above is about the HIPAA Breach Notification Rule only, there are many other rules that organizations are required to follow to ensure compliance, avoid fines, and to safeguard PHI. 

HIPAA Ready is a robust HIPAA compliance software that streamlines compliance, creates digital checklists, customizes policies & procedures, schedules training, and keeps track of incidents – all from a single application. It helps to make HIPAA compliance easier than ever!