The Ultimate List: HIPAA Breach Notification Requirements for 2026

The Ultimate List: HIPAA Breach Notification Requirements for 2026

Author: Nicole Statley at Healthcare Compliance Pros

Introduction to HIPAA Breach Notification

Under the HIPAA Breach Notification Rule, covered entities and business associates must provide notice after certain impermissible uses or disclosures of unsecured protected health information (PHI). This rule applies to both electronic and paper PHI and is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

A "breach" is generally any acquisition, access, use, or disclosure of unsecured PHI that is not permitted by the HIPAA Privacy Rule and that compromises the security or privacy of the PHI, unless an exception applies. The rule creates a presumption that an impermissible use or disclosure is a breach unless a documented risk assessment shows a low probability that the PHI has been compromised.

Breach notification is critical because it gives patients the opportunity to take steps to protect themselves (for example, monitoring credit, changing passwords, or placing fraud alerts). It also demonstrates transparency and can significantly mitigate regulatory, legal, and reputational risk for the organization.

From a practical standpoint, organizations that prepare in advance—through policies, training, vendor management, and incident response plans—respond faster and more consistently when an incident occurs. A clear process also helps align legal, compliance, IT, and leadership, which reduces confusion and delays during a stressful event.

HIPAA Breach Notification Requirements

Timing of Notification

Covered entities must provide notification to affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. A breach is considered "discovered" on the first day it is known to the covered entity, or reasonably should have been known by exercising reasonable diligence, including knowledge by any workforce member or agent (other than the person committing the breach).

Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days from discovery, and must provide the covered entity with information needed for individual notices. Many organizations set stricter timelines in their business associate agreements (for example, 10-30 days) to allow time to investigate and prepare required notices.

Parties to Notify

When a breach of unsecured PHI occurs, the covered entity must notify:

· Affected individuals (or their personal representatives).

· The Secretary of HHS.

· Prominent media outlets in certain large breaches.

Business associates do not notify individuals or HHS directly under the rule; instead, they must notify the covered entity, which is responsible for making required notifications unless otherwise agreed in writing.

Encryption Safe Harbor

The HIPAA Breach Notification Rule applies to "unsecured" PHI, which means PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through technology or methodology specified by HHS. If PHI is encrypted consistent with HHS guidance (for example, using National Institute of Standards and Technology (NIST)-approved encryption methods), the incident may fall under the "encryption safe harbor," meaning it is not considered a breach requiring notification.

For example, if an encrypted laptop with PHI is stolen and the encryption meets HHS guidance and the key was not compromised, notice is generally not required because the PHI is considered secure. By contrast, if a device is only password-protected, or encryption was disabled, the safe harbor does not apply and a full breach risk assessment is required.

4-Factor Test for Determining Reportable Breaches

The rule requires a documented risk assessment using four factors to determine whether an impermissible use or disclosure of unsecured PHI is a reportable breach. If, after evaluating all four factors, the organization determines there is more than a low probability that the PHI has been compromised, the incident is a breach and notification is required.

1. Nature and Extent of PHI Involved

Organizations must consider the type of PHI involved and the likelihood that it could be used to harm the individual. This includes whether the PHI included identifiers such as names, Social Security numbers, driver's license numbers, financial information, diagnosis codes, or treatment details.

For example, a misdirected fax containing only limited, partially redacted information may present a lower risk than a spreadsheet with full demographic and financial data. Behavioral health, substance use disorder, HIV status, reproductive health, and other highly sensitive categories of data can significantly increase the risk of harm.

2. Unauthorized Person Who Received the PHI

Next, the organization evaluates who received or used the PHI. If the recipient is another HIPAA covered entity or business associate that is required to protect the information, the risk may be lower than if the PHI was disclosed to an individual, employer, media outlet, or unknown party.

Incidents where PHI is returned unopened, immediately destroyed, or never accessed can also lower the risk. However, where PHI is posted publicly, sent to the wrong patient, or accessed by someone with malicious intent, the risk is usually higher.

3. Whether the PHI Was Actually Acquired or Viewed

The organization must determine whether the PHI was actually acquired or viewed, or whether only the opportunity existed. For example, an email to the wrong address that bounces back undeliverable without being opened may present less risk than an email that was successfully delivered and opened.

System logs, access records, security alerts, and recipient statements are often used to determine whether PHI was actually accessed. Documenting this analysis supports the organization's conclusion if OCR later investigates the incident.

4. Extent to Which Risk Has Been Mitigated

Finally, organizations must evaluate the extent to which any potential risk has been reduced through mitigation. Examples include obtaining satisfactory assurances that the recipient deleted or destroyed the information, confirming that it was not further disclosed, or implementing measures such as password resets or credit monitoring.

Strong mitigation can reduce the probability that PHI has been compromised to a low level, potentially avoiding a reportable breach. However, mitigation does not erase the incident; it informs the risk assessment and must be carefully documented.

Notification Requirements

Once an incident is determined to be a reportable breach, HIPAA specifies who must be notified, how, and what must be included in the notice. The content and delivery of these notifications are just as important as timing, because OCR often reviews sample letters during investigations.

Notification to Affected Individuals

Covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. Notices must be written in plain language and sent by first-class mail to the individual's last known address, or by email if the individual has agreed to electronic notice.

The individual notice must include, at a minimum:

· A brief description of what happened, including the date of the breach and the date of discovery, if known.

· A description of the types of PHI involved (for example, name, date of birth, diagnosis, SSN).

· Any steps individuals should take to protect themselves.

· What the covered entity is doing to investigate, mitigate harm, and prevent future breaches.

· Contact information for individuals to ask questions or learn more.

If contact information for 10 or more individuals is out of date, the covered entity must provide substitute notice, such as posting on its website or through major print or broadcast media, depending on the size and nature of the breach.

Notification to the Secretary of HHS

Covered entities must notify the HHS Secretary of all breaches of unsecured PHI, but timing depends on the number of affected individuals. For breaches involving 500 or more individuals in a single state or jurisdiction, notice must be provided to HHS at the same time as individual notices, and no later than 60 days after discovery.

For breaches involving fewer than 500 individuals, covered entities may maintain a log and submit notice to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered. HHS provides an online breach portal ("Wall of Shame") where organizations submit these reports.

Notification to the Media

For breaches involving more than 500 residents of a state or jurisdiction, covered entities must also notify prominent media outlets serving that area. This notice must be provided without unreasonable delay and no later than 60 calendar days after discovery of the breach.

Media notice is intended as a form of substitute notice and must include the same core elements as individual notification, without disclosing unnecessary details. Many organizations coordinate media statements with legal counsel and public relations teams to ensure accuracy and consistent messaging.

How Healthcare Compliance Pros Can Help

HIPAA breach response is not purely a legal exercise; it is operational, technical, and cultural. Healthcare Compliance Pros and similar compliance partners can support organizations in building and maintaining a practical, defensible breach notification program.

Key areas where a compliance partner can help include:

· Policy and procedure development: Ensuring written policies align with the HIPAA Breach Notification Rule, current OCR guidance, and your organization's structure.

· Risk assessment templates: Providing standardized tools for the 4-factor analysis and documentation of "low probability of compromise" determinations.

· Training and simulations: Educating workforce members on reporting incidents quickly, and running tabletop exercises to test your breach response plan.

· Business associate oversight: Reviewing BAAs to ensure appropriate breach reporting timelines and responsibilities.

· Incident coaching: Assisting with incident triage, OCR-facing documentation, and drafting notifications that meet content requirements.

Organizations that invest in these elements tend to have more consistent responses, fewer delays, and stronger defensibility during audits or investigations. This directly supports overall HIPAA compliance and helps protect patients, staff, and leadership.

Frequently Asked Questions (FAQ)

What is considered "unsecured PHI"?

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through technologies or methods approved by HHS, such as strong encryption or proper destruction. If PHI is properly encrypted or destroyed per HHS guidance, the Breach Notification Rule generally does not apply.

Does every privacy incident require notification?

No. Only breaches of unsecured PHI that result in more than a low probability of compromise after the 4-factor risk assessment require notification. However, all incidents must be evaluated and documented, even if the result is that no reportable breach occurred.

What is the deadline for notifying HHS of a small breach?

For breaches affecting fewer than 500 individuals, covered entities must report them to HHS no later than 60 days after the end of the calendar year in which they were discovered. For example, breaches discovered in 2026 must be reported by March 1, 2027 (60 days after December 31, 2026).

What happens if we miss the 60-day deadline?

Failure to provide timely breach notification can lead to OCR investigations, corrective action plans, and civil monetary penalties, depending on the level of negligence. OCR has taken enforcement actions specifically focused on delayed or incomplete breach notification.

Do business associates have to notify patients directly?

Under HIPAA, business associates must notify the covered entity of breaches of unsecured PHI and provide information the covered entity needs to notify individuals, HHS, and the media. Some contracts may assign additional obligations, so it is important to review business associate agreements carefully.

Quick Reference Table: Key HIPAA Breach Notification Elements

If you think about your own organization's incident response today, what is the one step in this breach notification process you are least confident about (for example, the 4-factor analysis, timelines, documentation, or media notice), and why?