Organizations that utilize, store, or handle Private Health Information (PHI) are covered by HIPAA, the USA’s Health Insurance Portability and Accountability Act of 1996. The HIPAA Breach Notification Rule, which is a component of the HIPAA regulations, requires enterprises to notify the authorities, any affected parties, and, in some situations, the media of security breaches within 60 days of their discovery.


What is The HIPAA Breach Notification Rule?


Organizations that deal with health information must report cybersecurity breaches under the HIPAA Breach Notification Rule.


The Notification Rule is applicable to both Business Associates, who are companies or people who offer services to the healthcare sector and interact with Private Health Information (PHI), as well as Covered Entities, which include healthcare organizations, medical practices, and insurance companies.


HIPAA is a legally enforceable rule for businesses doing business in the USA, and failure to comply can result in fines of up to $1.5 million per year, or $100 to $50,000 each violation, or per PHI information affected.


What Qualifies as a Breach Requiring Notification Under HIPAA?


If there is even a remote possibility that the protected health information was compromised, a breach is described as a compromise of the security or privacy of PHI.


HIPAA breach risk assessment


The following criteria should be used to assess the likelihood of compromise:


  • What categories of identifiers were used, what sorts of health information were used, and how likely it is that people can be reidentified using the data
  • Who is the individual who illegally accessed PHI or to whom the information was disclosed?
  • Whether the unauthorized individual really received, viewed, or used the PHI
  • Whether the risk has been reduced; for instance, a cybersecurity incident may have occurred, but the problem was fixed before PHI was moved outside the company.


Exceptions to the definition of a breach


The risk analysis is optional. Covered Entities and Business Associates have two choices in the event of a breach:


  • Perform a risk analysis before deciding whether to alert about the incident.
  • Notify without waiting for a risk assessment.


the definition of a breach’s exceptions


The following security incidents do not qualify as breaches under HIPAA, according to HIPAA’s definition of an exemption to a breach, which is as follows:


  • Employee who, while acting in accordance with their authority and with good faith, unintentionally accesses or uses PHI.
  • accidental disclosure of PHI by a person with authorization to another person at the same organization or another entity with permission to view the data.
  • The organization believes in good faith that the individual who acquired the PHI is unable to keep it or utilize it.


HIPAA Data Breach Notification Requirements: What Should You Do If Your Data Is Breached?


You may be required by the HIPAA incident Notification Rule to notify the media, the secretary of the USA Office for Civil Rights (HHS/OCR), and/or the persons affected by the incident.


Notify those who have been affected


  • You have to let everyone know that their PHI was compromised.
  • Within 60 days after learning of the violation, notice shall be given by first-class mail or, if the person consented to electronic communication, by email.
  • Try an alternative communication technique, such as phone or other written notice, if you don’t have the impacted persons’ contact information.
  • If you don’t have the contact information for more than ten people, you can make a prominent notice on the home page of your company’s website or in the most important print or broadcast media in each person’s neighborhood.


Let the secretary know.


Additionally, you must report the breach to the HHS/OCR secretary. You must keep an annual breach log and report it to the secretary within 60 days of the end of the calendar year if the breach affected less than 500 people. When notifying those involved people, you must also notify the secretary if it affected more than 500 people.


Let the media know


Only when the breach affects more than 500 people within the same state or jurisdiction must the media be notified. In this situation, you must alert the media in that state or jurisdiction by distributing a press release with the same details that you provided to the local residents who were affected. Additionally, the deadline remains the same: within 60 days of learning about the breach.


If you want to know more about breach notifications, contact an expert from CYB3R-X today or email us at