The HIPAA Breach Notification Rule, Explained
6 min read · Last reviewed May 22, 2026
What counts as a breach
The Breach Notification Rule lives at 45 CFR Part 164 Subpart D. The definition of breach at 164.402 is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI.
That "compromises" phrase is the trigger. The 2013 Omnibus final rule replaced the older harm-threshold standard with a four-factor analysis. A presumption of breach applies unless the covered entity demonstrates a low probability that the PHI has been compromised through the four factors.
The four factors are:
- The nature and extent of the PHI involved, including identifiers and likelihood of re-identification.
- The unauthorized person who used the PHI or to whom the disclosure was made.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk has been mitigated.
The analysis must be documented. If the four-factor analysis concludes there is a low probability of compromise, the incident is not a breach and no notification is required, but the analysis itself is retained for six years under 164.530(j)) and the parallel security-side retention at 164.316(b)).
When the safe harbor applies
If the PHI involved was rendered unusable, unreadable, or indecipherable per the HHS Guidance to Render Unsecured PHI Unusable — usually meaning the PHI was encrypted at the time of the incident — it is not "unsecured PHI" under 164.402 and the Breach Notification Rule does not apply. This is why endpoint and laptop encryption matter so much.
The three exclusions
Section 164.402 carves out three categories that are not breach:
- Unintentional access by a workforce member acting in good faith within the scope of authority, with no further use or disclosure.
- Inadvertent disclosure between two authorized people at the same covered entity or business associate, with no further use or disclosure.
- Disclosure where the covered entity has a good-faith belief the unauthorized recipient would not reasonably have been able to retain the PHI.
Document the conclusion when one of these applies. The exclusions are narrow and OCR scrutinizes them.
Individual notice: 60 days, plain language, specific elements
45 CFR 164.404 sets the rule for notice to affected individuals. The notice must go out without unreasonable delay and in no case later than 60 calendar days from discovery. "Discovery" means the first day on which the breach is known, or should reasonably have been known, by any workforce member other than the person who committed the breach.
Required content of the notice at 164.404(c)):
- A brief description of what happened, including date of breach and date of discovery
- A description of the types of unsecured PHI involved
- Steps individuals should take to protect themselves from potential harm
- A brief description of what the covered entity is doing to investigate, mitigate, and prevent recurrence
- Contact procedures for further questions (toll-free number, email, website, or postal address)
Delivery is by first-class mail to the last known address, or by email if the individual has agreed to electronic notice. Substitute notice procedures apply when contact info is insufficient for 10 or more individuals — see 164.404(d)).
HHS Secretary notice
Two paths at 164.408:
- 500 or more individuals affected: notify the Secretary contemporaneously with the individual notice, no later than 60 days after discovery, through the HHS Breach Reporting form.
- Fewer than 500 individuals affected: log the incident and submit an annual report no later than 60 days after the end of the calendar year. The same online form is used.
Breaches affecting 500 or more individuals in a state or jurisdiction also require notice to prominent media outlets serving that area under 164.406.
Business associate obligations
A business associate that discovers a breach must notify the covered entity without unreasonable delay and in no case later than 60 days from discovery, under 164.410. The covered entity still owns the notification to individuals, HHS, and (where applicable) the media. The BAA at 164.504(e)) typically tightens the BA notice clock and assigns roles.
Law enforcement delay
164.412 permits a delay in notice when law enforcement determines that notification would impede a criminal investigation or cause damage to national security. The delay must be documented and is limited in scope.
The small-practice breach log
A defensible breach response program maintains:
- An incident intake form
- A four-factor analysis worksheet
- A notification template (individual, HHS, media as applicable)
- A breach log for fewer-than-500 incidents, queued for annual submission
- Workforce training on what to escalate and to whom
- A reconciliation against the BAA log so business associate-side incidents are captured
What OCR sees most often
OCR's published Resolution Agreements repeatedly cite:
- Late individual notice
- Late HHS notice
- Absent or inadequate four-factor analysis
- No documented mitigation
- No prior risk analysis identifying the asset that was breached
The Breach Notification Rule is a documentation exercise on top of an underlying privacy and security program. The notice itself is not the deliverable; the deliverable is the full record of the analysis, the notification, and the corrective action.
Restraint about claims
No vendor tool or playbook prevents breaches in absolute terms. Encryption and good controls reduce the probability and the consequences. A practice's job is to maintain the program, document the response, and learn from each incident.
How D3rx fits
D3rx SRA Binder Studio includes the breach-incident workflow, the four-factor analysis worksheet, the fewer-than-500 log, and references back to the HHS notification portal. It is a point-in-time administrative documentation aid; the practice remains responsible for the substance of every analysis and notification.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR Part 164 Subpart Dhttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
- 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402
- 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
- 164.316(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b
- Guidance to Render Unsecured PHI Unusablehttps://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
- 45 CFR 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
- 164.404(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404#p-164.404(c
- 164.404(d)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404#p-164.404(d
- 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
- Breach Reporting formhttps://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true
- 164.406https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.406
- 164.410https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.410
- 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504#p-164.504(e
- 164.412https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.412
- OCR's published Resolution Agreementshttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
What to Do If You Get an OCR Audit Letter
5 min readTechnical SafeguardsHIPAA Encryption Requirements for ePHI
5 min readFoundationsHIPAA Policies and Procedures: What a Small Practice Actually Needs
5 min readAudits and EnforcementChange Healthcare Ransomware: What Small Practices Took Away
6 min readRelated across the archive
- SRAChange Healthcare Ransomware: What Small Practices Took AwayThe February 2024 Change Healthcare cyberattack, what HHS and UnitedHealth Group disclosed, and the small-practice lessons about clearinghouse concentration risk, contingency planning, and the Security Rule's information system activity review.
- SRAWhat to Do If You Get an OCR Audit LetterA step-by-step response framework for a small practice that receives an OCR HIPAA audit or investigation letter, drawn from OCR's audit protocol and published Resolution Agreements.
- SRAHIPAA Encryption Requirements for ePHIWhat the Security Rule actually says about encryption at 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii), the safe harbor under the Breach Notification Rule, and what 'addressable' means in practice.
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- ComplianceHHS HIPAA Breach Portal: How to File a Breach NotificationFiling through ocrportal.hhs.gov is the single most-visible compliance act a practice ever performs. Here is the form, the numbers, and the choices that drive the OCR response.
- GlossaryHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- RegulationHIPAA HHS and Media Breach Notification (45 CFR 164.406-408)Notification timing and content for HHS (annual for smaller breaches, 60 days for 500+) and the prominent media (500+ in a state or jurisdiction).
- ComplianceHIPAA Breach Notification: The 60-Day Window Step-by-StepFrom discovery you have 60 calendar days to notify individuals, HHS, and possibly media. Here is the procedure that actually protects the practice.