The HIPAA Breach Notification Rule requires covered entities and their business associates to notify affected individuals, the Secretary of Health and Human Services (HHS), and in some cases the media, following a breach of unsecured protected health information (PHI), with notification deadlines that depend on the breach's scale — most critically, all notifications to HHS must be made no later than 60 days after the end of the calendar year in which the breach was discovered for breaches affecting fewer than 500 individuals. For breaches affecting 500 or more individuals, covered entities must notify HHS without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. This 60-day window is a hard regulatory requirement enforced by the HHS Office for Civil Rights (OCR), and non-compliance can result in civil monetary penalties ranging from $141 to $69,729 per violation, adjusted annually for inflation, with a maximum annual penalty of $2,134,831 for identical violations.
The HIPAA Breach Notification Rule, codified at 45 CFR §§ 164.400-414, is one of the most consequential regulatory frameworks for healthcare organizations, health plans, healthcare clearinghouses, and their business associates operating in the United States. For CISOs, privacy officers, and compliance leads, understanding the precise mechanics of this rule — what constitutes a breach, who must be notified, the exact timeline for each notification category, and how to document compliance — is essential to avoiding regulatory action and preserving patient trust. This guide provides a complete, authoritative breakdown of the 60-day requirements and every other obligation under the rule.
What Is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule is a federal regulation issued by the HHS under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. It establishes mandatory procedures that covered entities and business associates must follow when a breach of unsecured PHI occurs. The rule applies to all organizations subject to HIPAA, including hospitals, physician practices, health insurance plans, pharmacies, healthcare clearinghouses, and any third-party vendors or subcontractors that handle PHI on their behalf.
The core obligation is straightforward: any impermissible acquisition, access, use, or disclosure of PHI that compromises the security or privacy of that information triggers notification obligations. However, the rule provides a risk assessment framework that allows entities to determine whether an impermissible use or disclosure actually constitutes a breach requiring notification. If the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a four-factor risk assessment, notification is not required.
The Four-Factor Risk Assessment
To determine whether an impermissible use or disclosure of PHI constitutes a breach, the covered entity or business associate must conduct a risk assessment that considers at least the following four factors as outlined in 45 CFR § 164.402(1):
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
- The unauthorized person who used the PHI or to whom the disclosure was made, including whether that person has obligations to protect the information.
- Whether the PHI was actually acquired or viewed, or whether only the opportunity existed for acquisition or viewing.
- The extent to which the risk to the PHI has been mitigated, including through prompt action by the covered entity or business associate.
Importantly, the risk assessment places the burden of proof on the covered entity. If the entity cannot demonstrate a low probability of compromise, the incident is presumed to be a breach, and all notification obligations apply. This presumption reinforces the importance of thorough, documented risk assessments performed promptly after any impermissible use or disclosure.
Who Must Comply With the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule applies to two categories of organizations: covered entities and business associates. Covered entities include healthcare providers who conduct electronic transactions, health plans (including employer-sponsored group health plans with 50 or more participants), and healthcare clearinghouses. Business associates are individuals or organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity for functions such as claims processing, data analysis, utilization review, billing, and practice management.
Since the HIPAA Omnibus Rule of 2013, business associates are directly liable for compliance with the Breach Notification Rule. This means that a third-party vendor such as a cloud storage provider, medical transcription service, or IT support firm that experiences a breach of PHI is independently obligated to notify the covered entity of the breach. The covered entity then has the responsibility to notify affected individuals and HHS, unless the business associate agreement specifies otherwise.
Key Takeaway: Direct Liability for Business Associates
Under the HITECH Act and the 2013 Omnibus Rule, business associates are directly regulated by OCR. A business associate that fails to notify a covered entity of a breach within 60 days of discovery faces the same civil monetary penalties as the covered entity. For organizations handling PHI as a vendor, this means robust incident detection and notification processes are non-negotiable.
What Qualifies as a Breach Under HIPAA?
A breach is defined under 45 CFR § 164.402 as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. The definition excludes three specific categories of incidents:
- Unintentional acquisition, access, or use of PHI by a workforce member acting in good faith within the scope of their employment, as long as the information is not further used or disclosed in an impermissible manner.
- Inadvertent disclosure of PHI between persons authorized to access PHI at the same covered entity or business associate, assuming the information is not further used or disclosed.
- Disclosure where the covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure was made would not have been able to retain the information.
It is critical to note that the "good faith" and "inadvertent" exceptions are narrow and fact-specific. OCR has made clear that these exceptions do not apply to incidents involving malicious intent, gross negligence, or systemic failures. In practice, most security incidents involving external actors — such as hacking, ransomware attacks, or theft of devices containing PHI — will qualify as breaches requiring notification.
The HIPAA Breach Notification Rule: 60-Day Requirements Explained
The 60-day requirement in the HIPAA Breach Notification Rule is one of the most frequently misunderstood provisions. The rule establishes two distinct notification tracks to HHS, and the 60-day timeline applies differently depending on the breach size:
Breaches Affecting 500 or More Individuals
For breaches that affect 500 or more individuals, the covered entity must notify HHS without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. This notification is submitted electronically through the HHS OCR breach reporting portal. Additionally, if the breach affects 500 or more residents of a state or jurisdiction, the covered entity must also notify prominent media outlets serving that state or jurisdiction — typically the largest-circulation newspaper or broadcast station.
OCR maintains a public "wall of shame" — the HIPAA Breach Notification Rule's list of breaches affecting 500 or more individuals — which is continuously updated and available on the HHS website. Inclusion on this list carries significant reputational risk, which is why many organizations prioritize rapid containment, notification, and remediation.
Breaches Affecting Fewer Than 500 Individuals
For breaches involving fewer than 500 individuals, the covered entity must notify HHS annually. The notification must be submitted no later than 60 days after the end of the calendar year in which the breach was discovered. This means an organization that discovers a small breach in March 2025 must log it internally and report it to OCR by March 1, 2026 — but that reporting obligation does not obviate the need to notify affected individuals within 60 days of discovery.
This annual reporting structure creates a compliance risk if organizations fail to maintain accurate, centralized logs of all breaches throughout the year. A business associate that fails to report a smaller breach to the covered entity in a timely manner may inadvertently cause the covered entity to miss its annual filing deadline.
Critical Distinction: Individual Notification vs. HHS Notification
The 60-day clock for notifying affected individuals runs from the discovery of the breach and applies regardless of breach size. Even for breaches affecting fewer than 500 individuals, individual notifications must be sent without unreasonable delay and within 60 days of discovery. The annual filing to HHS for smaller breaches is a separate requirement that consolidates all smaller incidents at the end of the calendar year.
Notification Timelines: A Complete Breakdown
The HIPAA Breach Notification Rule establishes three distinct notification requirements, each with its own deadline. Understanding these timelines is essential for compliance and avoiding enforcement action.
Notice to Affected Individuals
Covered entities must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. This notification must be made without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. The notification must include, at minimum:
- A brief description of the breach, including the date of the breach and the date of its discovery, if known.
- A description of the types of unsecured PHI involved (e.g., name, Social Security number, date of birth, medical record number, diagnosis, treatment information).
- Steps individuals should take to protect themselves from potential harm, such as monitoring credit reports or changing account passwords.
- A brief description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent future breaches.
- Contact information for the covered entity, including a toll-free telephone number, email address, or website where individuals can learn more about the breach.
Notification must be sent by first-class mail to the individual's last known address, or by email if the individual has agreed to receive electronic notices. If the covered entity does not have sufficient contact information for 10 or more individuals, the entity must post a conspicuous notice on its website for at least 90 days or provide substitute notice through print or broadcast media where the affected individuals likely reside.
Notice to HHS
As detailed above, the timeline for notifying HHS depends on the breach size:
For breaches affecting 500 or more individuals: Notification must be made within 60 calendar days of discovery. The covered entity must also notify HHS immediately if the breach involves 500 or more individuals and is discovered after the start of the annual reporting period but before the annual report is due.
For breaches affecting fewer than 500 individuals: Notification is submitted annually, no later than 60 days after the end of the calendar year in which the breach occurred. Entities must log each breach and include all qualifying incidents in a single annual report.
Notice to Media
When a breach affects 500 or more residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving that state or jurisdiction. This notification must also be made without unreasonable delay and within 60 calendar days of the breach discovery. The media notice must contain the same information as the individual notice.
How to Achieve and Maintain HIPAA Breach Notification Compliance
Compliance with the HIPAA Breach Notification Rule requires more than simply knowing the deadlines. Organizations must build operational capabilities that enable rapid breach detection, accurate risk assessment, and flawless execution of the notification process. The following steps provide an enterprise-grade framework for compliance.
Establish a Breach Response Team and Plan
Designate a breach response team that includes representatives from legal, privacy, security, communications, and executive leadership. Develop a written breach response plan that defines roles, notification templates, escalation procedures, and timelines. The plan should be tested through tabletop exercises no less than annually, with particular focus on the 60-day notification deadline for large breaches.
Deploy Continuous Monitoring for PHI Access and Disclosure
Implement technical controls — including SIEM, user and entity behavior analytics (UEBA), and data loss prevention (DLP) systems — that monitor for unauthorized access, anomalous data transfers, and other indicators of PHI compromise. These tools should generate alerts that trigger a predefined incident response workflow within the breach response team. ThreatHawk SIEM provides continuous monitoring tailored to healthcare environments, with pre-built correlation rules for HIPAA-related events and automated alerting that can significantly reduce detection time.
Conduct Prompt Four-Factor Risk Assessments
When an incident is detected, the breach response team must immediately perform the four-factor risk assessment. This assessment should be documented in writing and preserved as part of the entity's compliance records. If the assessment concludes that there is a low probability of compromise, document the rationale thoroughly — OCR may request these documents during an audit or investigation.
Execute Notifications Within the 60-Day Window
If the risk assessment determines a breach has occurred, begin the notification process immediately. Prepare individual notification letters using approved templates, verify contact information, and send by first-class mail or email within the 60-day period. For breaches involving 500 or more individuals, simultaneously submit the HHS notification through the OCR portal and coordinate media notification.
Maintain a Breach Log for Annual Reporting
Maintain a centralized breach log that records all incidents, regardless of whether they were determined to be breaches requiring notification. The log should include the date of discovery, the nature of the incident, the results of the risk assessment, and the notification timeline. For breaches affecting fewer than 500 individuals, ensure the log is reviewed before the annual HHS filing deadline to capture all qualifying incidents from the calendar year.
Review and Update Business Associate Agreements
Business associate agreements (BAAs) must include provisions requiring business associates to notify the covered entity of a breach without unreasonable delay. Update existing BAAs to specify a notification timeline shorter than the 60-day maximum — 24 to 72 hours is recommended — to give the covered entity adequate time to assess the incident and prepare its own notifications. Ensure that the BAA also requires the business associate to provide sufficient information about the breach to enable the covered entity to meet its notification obligations.
Automate Compliance Evidence Collection
Manual compliance evidence management is unsustainable for organizations that manage PHI at scale. Automated tools can capture logs, timestamp risk assessment decisions, track notification deadlines, and generate audit-ready reports. CyberSilo Compliance Standards Automation provides integrated workflows that map breach notification requirements to the HIPAA Security and Privacy Rules, reducing the administrative burden on compliance teams and improving accuracy.
Penalties for Non-Compliance
OCR enforces the HIPAA Breach Notification Rule through civil monetary penalties (CMPs) structured in a tiered system based on the entity's level of culpability. The penalty ranges, adjusted annually for inflation, are as follows as of the latest HHS rule:
- Tier 1: Did Not Know — $141 to $34,864 per violation. The entity did not know and, by exercising reasonable diligence, would not have known that the provision was violated.
- Tier 2: Reasonable Cause — $1,393 to $69,729 per violation. The violation was due to reasonable cause and not willful neglect.
- Tier 3: Willful Neglect – Corrected — $13,945 to $69,729 per violation. The violation was due to willful neglect, but the entity corrected the violation within 30 days of discovery.
- Tier 4: Willful Neglect – Not Corrected — $69,729 to $2,134,831 per violation. The violation was due to willful neglect and was not corrected within 30 days.
In addition to CMPs, OCR may require corrective action plans that mandate specific remediation measures, such as revising policies, retraining staff, or implementing new technical safeguards. For breaches that also violate state notification laws — which exist in all 50 states, the District of Columbia, and U.S. territories — entities face additional penalties, including potential private civil actions from affected individuals.
The 2021 American Hospital Association v. Becerra decision clarified that OCR cannot apply penalties retroactively to entities that self-report and promptly mitigate breaches, but only if the entity can demonstrate compliance with all applicable HIPAA rules. This legal environment underscores the importance of proactive breach notification compliance as a liability mitigation strategy.
Ensure Your HIPAA Breach Notification Process Is Audit-Ready
Failed to notify within the 60-day window? Uncertain whether your risk assessment methodology meets OCR expectations? CyberSilo's compliance experts can review your breach response plan, test your notification workflows, and help you build a defensible compliance posture. Our Compliance Standards Automation platform integrates with your existing security stack to automate evidence collection and reduce the risk of human error.
How HIPAA Breach Notification Works for Business Associates
Business associates have independent obligations under the Breach Notification Rule. When a business associate discovers a breach of PHI that it creates, receives, maintains, or transmits on behalf of a covered entity, the business associate must notify the covered entity without unreasonable delay and within 60 calendar days of discovery. The business associate must include in its notification:
- Identification of the affected covered entity (or entities).
- A description of the breach, including the date of the breach and the date of discovery.
- A description of the types of unsecured PHI involved.
- Steps the covered entity and affected individuals should take to protect themselves.
- The contact information of the business associate's breach response team.
Critically, the business associate does not directly notify affected individuals or HHS — that responsibility falls to the covered entity. However, the business associate is responsible for ensuring its notification to the covered entity contains sufficient information for the covered entity to fulfill its own notification obligations within the 60-day window. Failure to provide timely and complete notification to the covered entity exposes the business associate to direct OCR enforcement.
For business associates operating in multiple jurisdictions, including Canada, the interaction between HIPAA requirements and Canadian privacy laws such as PIPEDA and provincial health privacy laws adds complexity. In cross-border arrangements where PHI is stored or processed in Canada, business associates must navigate both the HIPAA Breach Notification Rule's mandatory 60-day notification and the breach reporting requirements under Canadian law, which may have different timelines and notification thresholds. Canadian cybersecurity compliance services can help organizations manage these dual obligations.
Relationship Between HIPAA Breach Notification and Other Regulations
The HIPAA Breach Notification Rule does not exist in isolation. Organizations that handle PHI are often subject to other regulatory frameworks that impose overlapping or complementary breach notification requirements. For example:
- State breach notification laws: All 50 states, the District of Columbia, and U.S. territories have their own data breach notification laws with varying timelines — typically ranging from 30 to 60 days — and different thresholds for what constitutes protected information. Covered entities must comply with both HIPAA and applicable state law. When state law requires a shorter notification timeline, state law governs.
- Federal Trade Commission (FTC) Health Breach Notification Rule: The FTC enforces a separate breach notification rule under the HITECH Act for vendors of personal health records and related entities that are not covered by HIPAA. This rule applies to health apps, fitness trackers, and other digital health tools.
- SEC Cyber Disclosure Rule: For publicly traded healthcare organizations, the SEC's cybersecurity disclosure rule (effective December 2023) requires timely disclosure of material cybersecurity incidents, including those involving PHI. This creates a parallel disclosure timeline that may run concurrently with HIPAA notification requirements.
- Canadian federal and provincial laws: Under PIPEDA and provincial health privacy laws such as PHIPA in Ontario, organizations that experience a breach of personal health information involving a real risk of significant harm must notify affected individuals, relevant privacy commissioners, and other organizations that may be able to mitigate the harm. The PIPEDA breach notification timeline is "as soon as feasible," which is generally interpreted as requiring notification within days or weeks, not the full 60 days permitted under HIPAA.
For organizations operating across the U.S.-Canada border, building a unified breach response capability that addresses the most stringent requirements from all applicable jurisdictions is the most efficient and defensible approach. U.S. cybersecurity compliance services can help map these overlapping requirements and build a single, integrated notification workflow.
Best Practices for Proofing Your HIPAA Breach Response
A robust HIPAA breach response program goes beyond minimum compliance to build organizational resilience and trust. Consider these best practices drawn from OCR settlement agreements and industry guidance:
1. Reduce detection time through automation. The 60-day clock starts ticking from the moment the breach is discovered — not from the moment it occurred. Organizations that detect breaches faster have more time to perform risk assessments and prepare notifications. Implementing a SIEM solution such as ThreatHawk SIEM with real-time monitoring of PHI access logs can compress detection time from days to minutes.
2. Pre-draft notification templates and workflows. Developing FDA/OCR-approved notification templates in advance — for individual notices, media notices, and HHS submissions — eliminates the time-consuming drafting process during a breach event. Pre-approve these templates with legal counsel to ensure they meet all content requirements under 45 CFR § 164.404(c).
3. Conduct annual tabletop exercises. Mock breach scenarios that test the 60-day notification workflow under simulated pressure conditions reveal gaps in communication, delays in risk assessment completion, and technical issues with notification systems. OCR has cited failure to test incident response plans as a contributing factor in several enforcement actions.
4. Maintain a secure, centralized breach log. Use a compliance management platform — not spreadsheets — to track every incident from detection through closure. The log should include timestamps for each step in the notification process to demonstrate compliance with the "without unreasonable delay" standard, even if the notification occurs well within the 60-day maximum.
5. Train workforce members continuously. Every workforce member who handles PHI should be trained to recognize potential breaches and escalate them to the breach response team immediately. Training should cover the distinction between impermissible uses and disclosures that require a risk assessment versus those that qualify for the "inadvertent" exception, which is narrower than most employees assume.
Get a Compliance Assessment Today
Is your HIPAA breach notification process ready for an OCR audit? CyberSilo offers targeted compliance assessments that evaluate your breach detection capabilities, risk assessment methodology, notification workflows, and BAA oversight. Our experts will deliver a prioritized action plan that addresses gaps and reduces your exposure to penalties.
Frequently Asked Questions
What is the exact 60-day requirement in the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule at 45 CFR § 164.404(b) requires that notifications to affected individuals be made "without unreasonable delay and in no case later than 60 calendar days" from the discovery of the breach. For breaches affecting 500 or more individuals, the same 60-day timeline applies to notifications to HHS and media outlets. For breaches affecting fewer than 500 individuals, notification to HHS must be made annually, no later than 60 days after the end of the calendar year in which the breach occurred. Critically, "discovery" is defined as the first day the breach is known or, by exercising reasonable diligence, would have been known, which means organizations cannot delay the clock by failing to investigate suspicious activity.
Are business associates required to notify HHS directly about breaches?
No. Business associates are required to notify the covered entity of a breach without unreasonable delay and within 60 calendar days of discovery. The covered entity retains the primary obligation to notify affected individuals, HHS, and the media. However, business associates are directly liable for failing to provide timely and complete notification to the covered entity and may face civil monetary penalties directly from OCR for such failures. The business associate's notification must include sufficient information for the covered entity to fulfill its own notification obligations within the 60-day window.
What happens if a covered entity misses the 60-day notification deadline?
Missing the 60-day deadline exposes the covered entity to OCR enforcement action, including civil monetary penalties that can range from $141 to $69,729 per violation depending on the entity's level of culpability. OCR also considers the duration of non-compliance — each day of delay may be treated as a separate violation. Additionally, late notifications undermine patient trust and may result in reputational harm. Organizations that discover they have missed a deadline should notify affected individuals and HHS immediately, document the reasons for the delay, and cooperate fully with any OCR investigation. Voluntary self-reporting and immediate corrective action can reduce, but not eliminate, potential penalties.
Does a ransomware attack always require HIPAA breach notification?
Yes, in nearly all cases. OCR issued guidance in 2021 clarifying that ransomware attacks affecting PHI are generally presumed to be breaches under the HIPAA Breach Notification Rule because the unauthorized access to and encryption of data constitutes an impermissible access and disclosure. The covered entity may conduct a four-factor risk assessment to rebut the presumption, but OCR has stated that the assessment must demonstrate with strong evidence that the PHI was not actually accessed, acquired, used, or disclosed — a very difficult standard to meet when ransomware actors have demonstrated the ability to exfiltrate data before encryption. Organizations should generally treat any ransomware incident involving PHI as a breach and begin the notification process immediately.
How does the HIPAA Breach Notification Rule apply to Canadian healthcare organizations?
The HIPAA Breach Notification Rule applies directly to any organization — including Canadian healthcare providers, health insurers, and their business associates — that handles PHI of U.S. residents. This frequently occurs when Canadian hospitals treat U.S. patients, when Canadian health insurers contract with U.S. health plans, or when Canadian companies process medical data for U.S. covered entities. In these cases, the organization must comply with HIPAA's 60-day notification requirements in addition to Canadian breach notification obligations under PIPEDA, PHIPA (Ontario), and other provincial health privacy laws, which generally require notification "as soon as feasible." Canadian organizations should adopt the more stringent timeline — typically notification within days — to satisfy both regulatory regimes. CyberSilo's PHIPA compliance services can help navigate these dual obligations.
Our Conclusion & Recommendation
The HIPAA Breach Notification Rule's 60-day requirements represent one of the most enforceable and frequently audited provisions in the U.S. healthcare privacy framework. For CISOs, privacy officers, and compliance leads, the operational reality is that compliance demands more than calendar awareness — it requires a mature incident detection capability, a practiced risk assessment methodology, and a notification workflow that can execute flawlessly under time pressure. Organizations that invest in automation, pre-prepared templates, and cross-functional tabletop exercises position themselves to meet the 60-day deadline — and the "without unreasonable delay" standard — even in complex breach scenarios involving multiple business associates and overlapping state laws.
CyberSilo's Compliance Standards Automation platform provides healthcare organizations with an integrated approach to breach response, combining continuous monitoring, automated evidence collection, and pre-configured notification workflows that align with OCR requirements. For organizations that prefer guided implementation, our compliance specialists offer end-to-end assessment and gap analysis services tailored to the HIPAA Breach Notification Rule and its interplay with state and international privacy laws. To ensure your organization is prepared for its next breach notification obligation, contact our team to schedule a compliance assessment.
Get a Compliance Assessment Today
Don't wait for a breach to test your notification process. Our HIPAA compliance assessment evaluates your breach detection, risk assessment, and notification workflows against OCR expectations and delivers a prioritized remediation plan.
