How to Notify Patients, HHS, and Media After a HIPAA Breach: What the Rule Requires

When a HIPAA Breach Happens, the Clock Starts Immediately

A ransomware attack encrypts your EHR system at 2 a.m. An employee emails a spreadsheet containing protected health information to the wrong address. A business associate reports that patient records were exposed in their environment. In each of these scenarios, the same question lands on the compliance manager's desk within hours: What does HIPAA require us to do next?

The answer is more specific—and more time-sensitive—than many organizations realize. The HIPAA Breach Notification Rule, codified at 45 CFR §§ 164.400–414, establishes mandatory notification obligations to three distinct audiences: affected individuals, the Department of Health and Human Services (HHS), and in some cases, prominent media outlets. Miss a deadline, omit required content, or notify the wrong parties in the wrong sequence, and you have compounded one compliance problem with another.

This post walks through what the rule actually requires, step by step, so your team can execute a legally defensible HIPAA breach response when it counts.

Step One: Determine Whether a Reportable Breach Has Occurred

Not every security incident involving protected health information (PHI) triggers notification obligations. Under the rule, a breach is defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy—unless the incident falls within one of three exceptions:

• An unintentional acquisition, access, or use by a workforce member acting in good faith within the scope of authority
• An inadvertent disclosure between authorized persons at the same covered entity or business associate
• A disclosure where the covered entity or business associate has a good-faith belief that the unauthorized recipient could not reasonably have retained the information

Even when none of these exceptions apply, covered entities may still avoid notification if they can demonstrate—through a documented four-factor risk assessment—that there is a low probability that the PHI was compromised. That assessment must evaluate: the nature and extent of the PHI involved, the identity of the unauthorized person, whether PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

This risk assessment is not optional and must be documented. OCR has cited its absence as a basis for enforcement action independent of whether a breach actually occurred. If your organization needs structured support building this process, our Compliance Program Development service can help you build a repeatable breach evaluation framework.

Notifying Affected Individuals: The 60-Day Rule

When a breach is confirmed, covered entities must notify each affected individual without unreasonable delay and no later than 60 calendar days after discovering the breach. This deadline applies to covered entities; business associates must notify the covered entity without unreasonable delay and within 60 days of discovery, which then triggers the covered entity's own clock.

Required Content of Individual Notices

OCR mandates that individual notifications include all of the following elements:

1. A brief description of what happened, including the date of the breach and the date of discovery if known
2. A description of the types of unsecured PHI involved (e.g., name, Social Security number, diagnosis, financial account information)
3. Any steps individuals should take to protect themselves from potential harm
4. A brief description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent future occurrences
5. Contact information for individuals to ask questions, including a toll-free number, email address, website, or postal address

Delivery Methods

Individual notices must be provided by first-class mail to the last known address of the individual, or by email if the individual has previously agreed to receive communications electronically. For deceased individuals, notice goes to the next of kin or personal representative.

If contact information is insufficient or out of date for 10 or more individuals, substitute notice is required. This typically means posting a notice on the covered entity's home webpage for at least 90 days or providing notice in major print or broadcast media where the affected individuals likely reside—along with a toll-free number that remains active for at least 90 days.

For organizations managing healthcare compliance obligations across multiple facilities or patient populations, maintaining current contact information and a scalable notification process is a prerequisite, not an afterthought.

Notifying HHS: Two Different Paths Based on Breach Size

All breaches of unsecured PHI must be reported to HHS through its web portal. The timing depends on the number of individuals affected:

Breaches Affecting 500 or More Individuals

These must be reported to HHS simultaneously with individual notifications—in other words, within 60 days of discovery. HHS posts these breaches publicly on what is commonly referred to as the "Wall of Shame," a searchable database that is visible to the public, the press, and your patients. The reputational impact of appearing on this list should inform how seriously your organization treats breach prevention.

Breaches Affecting Fewer Than 500 Individuals

Smaller breaches may be logged internally and reported to HHS on an annual basis, no later than 60 days after the end of the calendar year in which the breaches occurred. Organizations must maintain a log and submit all small breaches from that calendar year in a single annual report. Missing this annual filing is a common and entirely avoidable compliance gap.

Understanding how these obligations layer on top of each other is part of what makes HIPAA breach response challenging at scale. Our HIPAA Compliance Documentation Toolkit includes template logs and reporting workflows designed to keep these obligations organized and auditable.

Media Notification: When It Applies and What It Requires

This obligation catches many organizations off guard. When a breach affects 500 or more residents of a single state or jurisdiction, covered entities must also notify prominent media outlets serving that area. This notification must occur within the same 60-day window as individual and HHS notification.

Media notification must include the same content elements required in individual notices. You are not simply issuing a press release—you are fulfilling a regulatory obligation with specific content requirements. The notice should be provided to media outlets with sufficient reach to inform the affected population; OCR expects prominent local or regional coverage, not a wire service filing that patients are unlikely to see.

Organizations operating in multiple states may face concurrent media notification obligations across different jurisdictions if affected individuals are geographically dispersed.

Business Associate Obligations and Coordination

Business associates who experience a breach must notify the covered entity without unreasonable delay and within 60 days of discovery. The notification must identify each individual whose PHI was or is reasonably believed to have been affected. Responsibility for notifying individuals, HHS, and media remains with the covered entity unless the business associate agreement explicitly assigns that responsibility elsewhere.

This means your business associate agreements need to be airtight. If your BAAs do not specify notification timelines, identify the responsible party for each notification obligation, or require the business associate to cooperate with your response, you may find yourself unable to meet your own deadlines because a vendor is slow to report. For healthcare organizations that want to review their incident response planning holistically, this coordination layer deserves specific attention.

Documentation: What You Must Be Able to Demonstrate to OCR

HIPAA requires covered entities to maintain documentation of all breach notifications—or, if notification was not required, the risk assessment that supported that determination. This documentation must be retained for six years from the date it was created or last in effect.

In the event of an OCR investigation or audit, you should be able to produce:

• The date the breach was discovered
• The risk assessment and its documented conclusion
• The date and method of individual notifications
• Copies of notices sent and evidence of delivery
• The date HHS was notified and confirmation of submission
• Evidence of media notification, if applicable
• Records of substitute notification procedures used, if applicable

Organizations that treat breach documentation as an afterthought frequently face extended OCR investigations not because their underlying response was inadequate, but because they cannot demonstrate what they did. If you want to understand what an OCR investigation actually looks for, our resource on HIPAA breach response requirements provides additional procedural detail.

Common Mistakes That Amplify HIPAA Breach Risk

After working with healthcare organizations through breach response, certain failure patterns appear repeatedly:

• Starting the clock too late. The 60-day window begins at discovery, not when the investigation concludes. Organizations that delay formally declaring a discovery to buy investigative time often inadvertently violate the notification deadline.
• Skipping or poorly documenting the risk assessment. A poorly documented low-probability determination is treated by OCR as no determination at all.
• Failing to notify media when the threshold is met. Organizations that notify patients and HHS but overlook the media obligation when 500 or more residents of a single jurisdiction are affected create an additional violation.
• Missing the small-breach annual filing. Annual logs go unfiled, and multiple small breaches accumulate into a significant compliance gap.
• Inadequate BAA coordination. Business associate delays in reporting push covered entities into deadline violations.

Building a repeatable response program before a breach occurs is the only reliable way to avoid these errors. Our Regulatory vCISO Services provide ongoing compliance leadership to ensure your breach response procedures are current, tested, and executable under pressure.

Take the Next Step Before a Breach Forces It

HIPAA breach response is not a procedure you want to develop in the middle of an incident. The organizations that navigate breaches with minimal regulatory exposure are the ones that built and tested their notification processes well in advance. If your current incident response plan lacks a documented breach determination workflow, tested notification templates, or a clear BAA coordination protocol, now is the time to close those gaps. Request a quote from Cleared Systems to discuss how we can help your organization build a breach-ready HIPAA compliance program—before the clock starts.