HIPAA Breach Notification: What to Do When PHI Is Compromised

A data breach in healthcare is not just a technical problem — it is a crisis that can harm patients, destroy trust, and cost your organization millions. In 2024, healthcare data breaches exposed over 133 million patient records in the United States. The average cost of a healthcare breach reached 9.77 million dollars — the highest of any industry for the 14th consecutive year.

When a breach happens, what you do in the first 72 hours determines whether the situation becomes a manageable incident or an organizational catastrophe. And HIPAA's Breach Notification Rule has very specific requirements about who you must notify, how quickly, and what you must include.

This guide covers the complete HIPAA breach notification process — from initial discovery through notification, with real enforcement examples, template-level detail on what notifications must contain, and the specific risk assessment methodology OCR expects you to use.

What Counts as a "Breach" Under HIPAA?

The HIPAA Breach Notification Rule at 45 CFR 164.400-414 defines a breach as:

The acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule which compromises the security or privacy of the protected health information.

The crucial concept here is the presumption of breach. Since the 2013 Omnibus Rule, any impermissible use or disclosure of unsecured PHI is presumed to be a breach unless you can demonstrate — through a documented risk assessment — that there is a low probability the PHI was actually compromised.

Exceptions to the Breach Definition

Three narrow exceptions exist:

1. Unintentional access by workforce member: An employee acting in good faith within their scope of authority accidentally accesses PHI they do not need. Example: a nurse opens the wrong patient chart momentarily. The access must be unintentional, within scope, and the PHI must not be further used or disclosed impermissibly.
2. Inadvertent disclosure between authorized persons: An authorized employee accidentally shares PHI with another person at the same CE or BA who is also authorized to access PHI. Example: a nurse emails a patient file to the wrong doctor within the same hospital system.
3. Good faith belief PHI will not be retained: The PHI is disclosed to an unauthorized person who the CE or BA has a good faith belief could not reasonably retain the information. Example: a fax containing PHI is sent to the wrong number at a business, and the recipient immediately reports they received it and destroyed it.

These exceptions are narrowly construed. When in doubt, treat the incident as a potential breach and proceed to the risk assessment.

Secured vs. Unsecured PHI

HIPAA breach notification requirements only apply to unsecured PHI. If PHI is rendered "unusable, unreadable, or indecipherable" to unauthorized individuals, it is considered secured. Two methods provide this safe harbor:

• Encryption: Data encrypted with a process consistent with NIST Special Publication 800-111 (for data at rest) or NIST SP 800-52/800-77 (for data in transit). In practice: AES-128 or AES-256 for stored data, TLS 1.2+ for transmitted data. The encryption key must not be stored on or with the device.
• Destruction: Paper PHI is shredded or destroyed so it cannot be read or reconstructed. Electronic PHI is cleared, purged, or destroyed consistent with NIST SP 800-88.

This safe harbor is why encryption is the single most important control for reducing breach notification burden. An encrypted laptop that is lost or stolen? Not a reportable breach (assuming key was not compromised). An unencrypted laptop? Full breach notification immediately.

The 4-Factor Risk Assessment: Is It a Breach?

When a potential breach occurs involving unsecured PHI, you must conduct and document a 4-factor risk assessment to determine if there is a low probability the PHI was compromised. If you cannot demonstrate low probability across all four factors, you must treat it as a breach and proceed with notification.

Applying the 4 Factors: Practical Examples

Example 1: Misdirected fax to another medical office

• Factor 1: PHI included patient name, DOB, and diagnosis — moderate sensitivity
• Factor 2: Receiving party is a HIPAA-covered medical office with its own PHI obligations — lower risk
• Factor 3: Receiving office confirmed they received the fax but did not review it in detail — low acquisition
• Factor 4: Receiving office provided written attestation they shredded the fax immediately — effective mitigation
• Conclusion: Low probability of compromise. Document and file — no notification required.

Example 2: Ransomware attack on EHR server

• Factor 1: Full patient records including SSNs, diagnoses, insurance data — highly sensitive
• Factor 2: Criminal actor — cannot be trusted or identified — highest risk
• Factor 3: Forensics cannot confirm whether data was exfiltrated before encryption — presumed acquired
• Factor 4: Data appeared on dark web listings — no mitigation possible
• Conclusion: Breach confirmed. Full notification required. Potentially all patients in the database affected.

Example 3: Employee looks up neighbor's records out of curiosity

• Factor 1: Accessed medical history, medications, and visit notes — sensitive
• Factor 2: Workforce member without treatment relationship to the patient — unauthorized
• Factor 3: Employee viewed the records (audit logs confirm access) — PHI was definitively viewed
• Factor 4: Employee terminated, signed confidentiality attestation, no evidence of further disclosure
• Conclusion: Breach. Despite mitigation, the PHI was impermissibly accessed and viewed. Notification to the patient required.

Who You Must Notify and When

Once you have determined a breach occurred, HIPAA requires notification to up to four different parties, depending on the breach size.

1. Notification to Individuals

Timeline: Without unreasonable delay, no later than 60 calendar days from the date of discovery.

Discovery date rules: A breach is "discovered" on the first day any person in your workforce or your agent knows about it or should have known about it through reasonable diligence. This is important — if a low-level employee discovers a breach on Day 1 but does not report it internally until Day 15, the clock started on Day 1.

Method:

• Written notice by first-class mail to the individual's last known address
• Email ONLY if the individual has previously agreed to receive electronic communications
• If contact info is insufficient or out of date for 10 or more individuals: substitute notice via a conspicuous posting on the organization's website homepage for 90 days PLUS a toll-free phone number active for at least 90 days
• If urgent (imminent misuse risk): telephone notice in addition to written notice

Required content of individual notification:

• Brief description of what happened, including the date(s) of the breach and date of discovery
• Description of the types of unsecured PHI involved (not the actual data — describe categories like "names, SSNs, diagnoses")
• Steps the individual should take to protect themselves (credit monitoring, fraud alerts, password changes)
• Brief description of what your organization is doing to investigate, mitigate harm, and prevent future breaches
• Contact information — a toll-free phone number, email address, postal address, or website where individuals can get more information

2. Notification to the HHS Secretary

Breaches affecting 500 or more individuals: Report to HHS simultaneously with individual notification — within 60 days of discovery. Use the HHS Breach Reporting Portal at ocrportal.hhs.gov. These breaches are posted on the "Wall of Shame" (officially the Breach Portal) on the HHS website.

Breaches affecting fewer than 500 individuals: Report to HHS within 60 days of the end of the calendar year in which the breach was discovered. Effectively, you have until February 28 (or March 1) of the following year. These are submitted through the same portal.

3. Media Notification

Trigger: Breaches affecting 500 or more residents of a single state or jurisdiction.

You must notify prominent media outlets serving that state. This is typically done by issuing a press release to major newspaper, TV, and online news outlets in the affected area. The timeline is the same — within 60 days of discovery.

This is the requirement that organizations dread most, but it cannot be avoided. OCR does check whether media notification was made for qualifying breaches.

4. Business Associate Notification to Covered Entity

If a Business Associate discovers a breach of PHI it handles on behalf of a Covered Entity, the BA must notify the CE within the timeframe specified in the BAA. HIPAA does not specify an exact BA notification timeline, but most BAAs set it at 30 days or less because the CE needs time within its own 60-day window to investigate and notify individuals.

The BA must provide the CE with sufficient information for the CE to fulfill its notification obligations: identification of affected individuals, types of PHI involved, and details of the incident.

The First 72 Hours: Breach Response Step by Step

When a potential breach is discovered, the actions you take in the first 72 hours determine everything that follows.

Hour 0-4: Immediate Containment

1. Stop the bleeding. If the breach is ongoing (active ransomware, unauthorized access still occurring), take immediate technical action to contain it — isolate affected systems, disable compromised accounts, block network access points.
2. Preserve evidence. Do NOT wipe, reformat, or turn off affected systems. Forensic investigation requires preserving the state of compromised systems. Take disk images if possible.
3. Activate your incident response team. Notify your HIPAA Security Officer, Privacy Officer, IT lead, legal counsel, and executive leadership. If you have a cyber insurance policy, notify your carrier immediately — many policies require notification within 24-72 hours.
4. Document everything. Start a written timeline of events: what was discovered, when, by whom, and what actions were taken. This contemporaneous record will be critical for the 4-factor risk assessment and any OCR investigation.

Hours 4-24: Initial Assessment

1. Scope the incident. Determine what systems are affected, what PHI may have been compromised, and how many individuals may be involved.
2. Engage forensic investigators if the breach involves technical attack vectors (ransomware, unauthorized access, malware). Your cyber insurance carrier likely has a preferred forensics panel. Do not attempt complex forensics with internal IT staff alone.
3. Determine if law enforcement should be involved. If the breach involves criminal activity (ransomware, data theft for fraud), contact the FBI's Internet Crime Complaint Center (IC3) or your local FBI field office. Law enforcement involvement can delay individual notification by up to 60 additional days if they determine notification would impede the investigation — but you must get this in writing.
4. Begin the 4-factor risk assessment. Start documenting your analysis of each factor based on what you know so far.

Hours 24-72: Path Forward

1. Complete the 4-factor risk assessment with available information. You may need to update it as the forensic investigation reveals more, but an initial determination guides your next steps.
2. If breach is confirmed: Begin drafting individual notification letters, prepare the HHS portal submission, identify whether media notification is required (500+ in any single state).
3. If breach is excluded: Document your risk assessment thoroughly. Keep all evidence and analysis. OCR may request this documentation months or years later.
4. Brief leadership on notification obligations, estimated scope, and remediation requirements.

Writing Effective Breach Notification Letters

The notification letter is often the first communication affected patients receive. It must comply with HIPAA requirements while being clear, honest, and actionable.

What Not to Do

• Do not bury the breach in legal jargon. Use plain language. People need to understand what happened and what they should do.
• Do not minimize. Phrases like "out of an abundance of caution" when SSNs were definitively compromised undermine trust and can draw OCR scrutiny.
• Do not be vague about what was exposed. Tell people exactly which categories of PHI were involved. "Your personal information may have been compromised" is insufficient — specify "name, date of birth, Social Security number, diagnosis codes, and insurance information."
• Do not delay for perfection. You do not need the investigation to be 100% complete to begin notification. If you know enough to determine a breach occurred, start notifying. You can send supplemental notices as more information becomes available.

What to Include

Follow this structure for a compliant notification letter:

1. Opening: State clearly that a data breach occurred and that their PHI was involved
2. What happened: Brief, factual description of the incident including dates
3. What information was involved: Specific categories of PHI affected
4. What you are doing: Investigation steps, security improvements, services being offered (credit monitoring)
5. What they should do: Specific, actionable steps — review explanation of benefits, monitor credit, place fraud alerts
6. Contact information: Toll-free number, email, mailing address for questions

Real-World Breach Enforcement: What OCR Penalizes

Understanding how OCR has previously penalized organizations helps you anticipate what auditors focus on. Here are recent enforcement actions where breach notification failures were central:

Change Healthcare / UnitedHealth Group (2024)

The largest healthcare breach in history. A ransomware attack in February 2024 affected approximately 100 million individuals and disrupted claims processing across the entire US healthcare system. The attackers exploited a Citrix portal without MFA. UnitedHealth Group reportedly paid a ransom, but data was still posted on dark web forums. Investigation and enforcement are ongoing. Estimated total cost exceeds 2 billion dollars including remediation, notification, and business disruption.

Banner Health (2023): 1.25 Million Dollar Settlement

A 2016 cyberattack compromised the records of 2.81 million individuals. OCR found that Banner Health had failed to conduct an enterprise-wide risk assessment, failed to implement sufficient monitoring of health information systems, and failed to implement an authentication process. The breach notification itself was timely, but the underlying compliance failures drove the penalty.

Excellus Health Plan (2021): 5.1 Million Dollar Settlement

A breach affecting 9.3 million individuals went undetected for over two years (2013-2015). OCR cited lack of a thorough risk assessment, failure to implement hardware and software monitoring, and insufficient technical security measures. The extended period of undetected access significantly increased the penalty — organizations are expected to detect breaches, not just respond after someone else discovers them.

Premera Blue Cross (2020): 6.85 Million Dollar Settlement

A breach affecting 10.4 million individuals resulted from a phishing attack. OCR found insufficient risk assessment, lack of hardware and software monitoring, and failure to implement minimum necessary policies. The penalty reflected both the size of the breach and the systemic compliance failures.

Anthem Inc. (2018): 16 Million Dollar Settlement

The largest HIPAA settlement in history at the time. A breach affecting 78.8 million individuals through a spear-phishing attack that installed malware. OCR found insufficient technical safeguards, inadequate review of system activity, and failure to identify and respond to the breach for extended periods.

Ransomware: When Encryption Means Breach

In July 2016, HHS issued specific guidance establishing that ransomware attacks are presumed to be breaches. The logic: when ransomware encrypts ePHI, the attacker has exercised control over the data, which constitutes an unauthorized "acquisition" even if they never view individual records.

The Modern Ransomware Reality

Ransomware in 2024-2026 is fundamentally different from ransomware in 2016:

• Double extortion is standard: Attackers exfiltrate data BEFORE encrypting it. Even if you restore from backups, they threaten to publish the stolen data.
• Triple extortion is emerging: Attackers contact affected patients directly, demanding payment or threatening to release their individual health records.
• Attack volume: Healthcare ransomware attacks increased 128% between 2022 and 2024. An average of 2 healthcare organizations per week are hit.
• Recovery time: Average healthcare organization takes 23 days to recover operations after a ransomware attack.

Ransomware-Specific Breach Assessment

For ransomware attacks, your 4-factor analysis must address:

• Factor 1: What data was on the affected systems? Assume all accessible data on the compromised network was potentially exposed.
• Factor 2: Criminal actor — highest risk category. Cannot rely on the attacker's honesty about what they did or did not access.
• Factor 3: Can forensics definitively prove whether data was exfiltrated? If not, presume it was. Modern ransomware groups almost always exfiltrate before encrypting.
• Factor 4: Paying ransom is NOT considered effective mitigation. Attackers frequently sell data or re-extort even after payment.

In practice, nearly all ransomware attacks on healthcare result in breach notification obligations unless you can demonstrate through forensic evidence that the encryption malware did not access or exfiltrate any PHI — which is extremely rare with modern attack chains.

State Laws That Go Beyond HIPAA

HIPAA does not preempt state breach notification laws. Many states have their own notification requirements that may be more stringent:

• California (CMIA + CCPA): Requires notification within the "most expedient time possible" — no specific day count, but faster than 60 days is expected. Includes additional categories of protected information beyond HIPAA's PHI definition.
• New York (SHIELD Act): Requires notification "in the most expedient time possible." Applies to anyone holding private information of NY residents, not just healthcare entities.
• Texas: Requires notification within 60 days. Requires notification to the Texas Attorney General for breaches affecting 250 or more Texas residents (lower threshold than HIPAA's 500).
• Florida: Requires notification within 30 days — significantly shorter than HIPAA's 60-day maximum. Requires notification to the Florida Department of Legal Affairs within 30 days for breaches affecting 500 or more individuals.
• Massachusetts: Requires notification to the AG and the Director of Consumer Affairs "as soon as practicable." One of the most aggressive state requirements.

If your patients are in multiple states (common in telehealth), you must comply with the most stringent notification requirement among all applicable jurisdictions. In practice, this often means your notification timeline is shorter than HIPAA's 60 days.

Maintaining Your Breach Log and Documentation

HIPAA requires maintained documentation of every breach incident, regardless of size.

Breach Log Requirements

Your breach log should include for each incident:

• Date of breach discovery
• Date(s) the breach occurred (if different from discovery)
• Nature of the breach (unauthorized access, misdirected fax, ransomware, etc.)
• Types of PHI involved
• Number of individuals affected
• Person who discovered the breach
• 4-factor risk assessment documentation
• Breach determination (reportable or not)
• Notification actions taken (with dates)
• Remediation actions taken
• Root cause analysis

Retention

Breach documentation must be retained for 6 years from the date of creation or the date it was last in effect. Given that OCR investigations can begin years after an incident, err on the side of keeping documentation longer. Store breach documentation securely — it contains sensitive information about your organization's vulnerabilities and affected patients.

Reducing Breach Notification Burden Through Prevention

Encryption Everything Strategy

The single most effective way to reduce breach notification obligations is encrypting all ePHI everywhere. When PHI is encrypted with NIST-standard encryption and the key is not compromised:

• Lost or stolen laptop? Not a reportable breach.
• Stolen backup drive? Not a reportable breach.
• Email intercepted in transit? Not a reportable breach (if TLS was used).
• USB drive left at a conference? Not a reportable breach.

Encryption does not prevent ransomware breaches (because the attacker accesses the data before or despite your encryption), but it eliminates the most common breach scenarios involving lost or stolen devices and media.

Top Prevention Controls

• Full-disk encryption on every device — BitLocker, FileVault, LUKS — zero cost with the operating system
• MFA on every system with ePHI access — blocks 99% of credential-based attacks
• Email encryption — Microsoft 365 Message Encryption, Google Workspace, or dedicated tools like Virtru
• DLP (Data Loss Prevention) — prevent ePHI from being sent to personal email, unauthorized cloud storage, or external USB devices
• Network segmentation — isolate clinical systems from general office networks to limit blast radius
• Phishing training and simulation — quarterly simulations reduce successful phishing by 50-70%
• Endpoint Detection and Response (EDR) — tools like CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint detect ransomware before it fully deploys
• Immutable backups — 3-2-1 backup strategy with at least one immutable (cannot be deleted or encrypted by ransomware) backup

Complete Breach Response and Notification Checklist

Immediate (0-24 Hours)

• Incident detected and documented in breach log
• Affected systems contained (isolated, accounts disabled)
• Evidence preserved (disk images, logs, screenshots)
• Incident response team activated
• Legal counsel notified
• Cyber insurance carrier notified (if applicable)
• Law enforcement contacted (if criminal activity suspected)
• Initial scope assessment begun

Investigation (Days 1-14)

• Forensic investigators engaged (if technical breach)
• All affected systems and data identified
• PHI types and volume determined
• Number of affected individuals estimated
• 4-factor risk assessment documented
• Breach determination made (reportable or not)
• State notification requirements reviewed

Notification (Within 60 Days of Discovery)

• Individual notification letters drafted and reviewed by legal
• Notification method determined (mail, email, substitute)
• Credit monitoring or identity protection services arranged
• Toll-free phone number and FAQ established
• HHS breach portal submission prepared
• Media notification drafted (if 500+ in a single state)
• Individual notifications mailed/sent
• HHS notified (within 60 days for 500+, by year-end for under 500)
• Media notification distributed (if required)

Remediation (Ongoing)

• Root cause identified and documented
• Technical vulnerabilities patched or systems replaced
• Policies and procedures updated
• Staff training conducted on breach cause
• Risk assessment updated to reflect the incident and new controls
• Corrective action plan documented (OCR may require this)
• Monitoring enhanced for repeat attacks

The organizations that handle breaches best are the ones that prepared before the breach happened — with tested incident response plans, pre-established forensics relationships, pre-drafted notification templates, and leadership who understand their obligations before they are in crisis mode.