HIPAA Breach Notification Rule
The federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- HIPAA & Privacy
- Primary sources
- 6
- Workspace handoff
- compliance binder →
Where this comes up
Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.
Full definition
What it is in practice
The Breach Notification Rule requires written notice to each affected individual without unreasonable delay and no later than 60 days after discovery, plus notice to HHS via the OCR breach portal. Breaches affecting 500+ residents of a state also trigger media notice.
How it shows up in your practice
Discovery triggers the 60-day clock. Run the four-factor risk assessment at 45 CFR 164.402 to decide whether an impermissible use is a reportable breach. Keep an incident response plan ready so you don't lose the first day debating what counts.
Sources
- 45 CFR Part 164 Subpart D — Breach notificationhttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
- 45 CFR 164.402 — Breach definitionshttps://www.ecfr.gov/current/title-45/section-164.402
- 45 CFR 164.404 — Notification to individualshttps://www.ecfr.gov/current/title-45/section-164.404
- 45 CFR 164.408 — Notification to HHShttps://www.ecfr.gov/current/title-45/section-164.408
- HHS — Breach Notification Rulehttps://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- HHS OCR — Breach Reporting Portalhttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Use the breach response playbook in the Compliance Binder
Open compliance binder →Related terms
- HIPAA & PrivacyBreach of Unsecured PHIAn impermissible use or disclosure of PHI that is presumed to be a breach unless a four-factor risk assessment shows a low probability that PHI was compromised.
- SecurityIncident Response PlanThe documented plan describing how a covered entity detects, contains, eradicates, and recovers from a security incident.
- HIPAA & PrivacyFour-Factor Breach Risk AssessmentThe four-factor analysis at 45 CFR 164.402 used to determine whether an impermissible use or disclosure of PHI is a reportable breach.
- HIPAA & PrivacyHIPAA Privacy RuleThe federal regulation at 45 CFR Part 164 Subpart E that governs the use and disclosure of PHI.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryBreach of Unsecured PHIAn impermissible use or disclosure of PHI that is presumed to be a breach unless a four-factor risk assessment shows a low probability that PHI was compromised.
- GlossaryFour-Factor Breach Risk AssessmentThe four-factor analysis at 45 CFR 164.402 used to determine whether an impermissible use or disclosure of PHI is a reportable breach.
- GlossaryHIPAA Privacy RuleThe federal regulation at 45 CFR Part 164 Subpart E that governs the use and disclosure of PHI.
- GlossaryIncident Response PlanThe documented plan describing how a covered entity detects, contains, eradicates, and recovers from a security incident.
- RegulationHIPAA HHS and Media Breach Notification (45 CFR 164.406-408)Notification timing and content for HHS (annual for smaller breaches, 60 days for 500+) and the prominent media (500+ in a state or jurisdiction).
- ComplianceHHS HIPAA Breach Portal: How to File a Breach NotificationFiling through ocrportal.hhs.gov is the single most-visible compliance act a practice ever performs. Here is the form, the numbers, and the choices that drive the OCR response.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.