HIPAA Breach Notification Rule: What to Do When ePHI is Compromised

The moment a medical practice discovers that patient data may have been exposed, the clock starts. A laptop goes missing, an email is sent to the wrong recipient, a staff member clicks a phishing link, or a ransomware alert appears on a screen. In that moment, what your practice does next is governed by a specific and unforgiving set of federal requirements. The HIPAA Breach Notification Rule defines what counts as a breach, who you must tell, how quickly, and what happens if you get it wrong. Many practice owners have never read it end to end, and that is understandable, because it is buried in regulation. But a breach is the worst possible time to learn the rule for the first time. This guide walks through the entire process in plain terms: how to tell whether an incident is actually a reportable breach, the exact notifications required, the deadlines that apply, and the steps that protect your practice when ePHI is compromised.

What the HIPAA Breach Notification Rule Actually Requires

The HIPAA Breach Notification Rule is the part of HIPAA, found at 45 CFR sections 164.400 through 164.414, that governs what an organization must do after a breach of unsecured protected health information. It applies to covered entities, such as medical and dental practices, and to their business associates, the outside vendors that handle patient data on their behalf.

One word in that definition does a lot of work: unsecured. The rule is only triggered by a breach of unsecured protected health information, meaning PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized people through encryption or proper destruction. This is the single most important practical fact in the entire rule. If a stolen laptop was properly encrypted, the data on it is considered secured, and in most cases the loss does not trigger breach notification at all. Encryption is not just a security best practice. It is a direct form of breach-notification insurance, and it works best alongside tested data backup and disaster recovery so that securing data never means losing access to it.

When unsecured PHI is compromised, the rule requires notification of three possible audiences: the affected individuals, the federal government through the Department of Health and Human Services, and in some cases the media. Failing to notify properly is itself a separate HIPAA violation, distinct from the breach that caused it. In other words, mishandling the response can turn one problem into two.

Is It Actually a Breach? The Risk Assessment

Not every mistake involving patient data is a reportable breach. Before any notification clock is triggered, the HIPAA Breach Notification Rule requires you to determine whether the incident genuinely qualifies. The rule sets an important default: any impermissible use or disclosure of unsecured PHI is presumed to be a breach. The burden is on your practice to demonstrate otherwise.

To overcome that presumption, you must conduct and document a risk assessment showing there is a low probability that the PHI was compromised. The rule specifies four factors that the assessment must weigh:

1. The nature and extent of the PHI involved. What types of information were exposed, and how easily could an individual be re-identified from it? A full record with diagnoses and Social Security numbers is far more sensitive than an appointment time alone.
2. Who used or received the PHI. Disclosure to another HIPAA-covered organization that is itself bound by privacy obligations carries different risk than disclosure to an unknown party.
3. Whether the PHI was actually acquired or viewed. There is a meaningful difference between data that was provably accessed and data that was merely exposed but, on the evidence, never actually seen.
4. The extent to which the risk has been mitigated. Steps such as quickly recovering the data or obtaining credible assurances it was destroyed can lower the assessed risk.

If the documented assessment shows a low probability of compromise, the incident may not require notification. If it does not, the incident is a breach and the notification requirements apply. Either way, the assessment itself must be written down and retained.

The Three Exceptions to the Breach Definition

The rule also recognizes three narrow situations that are not treated as breaches even though they involve impermissible access. These are: a good-faith, unintentional access by a workforce member acting within their authority; an inadvertent disclosure between two people both authorized to access PHI at the same organization; and a disclosure where the practice has a good-faith belief the unauthorized person could not reasonably have retained the information. These exceptions are genuinely narrow, and a practice should apply them carefully rather than using them to avoid notification.

Who You Must Notify, and When

Once an incident is confirmed as a breach, the HIPAA Breach Notification Rule defines distinct notification tracks. The deadlines depend on the size of the breach, and the clock starts on the date the breach is discovered, which is the day it is known or, by exercising reasonable diligence, should have been known.

Notifying Affected Individuals

Every individual whose unsecured PHI was breached must be notified without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Notification is normally sent by first-class mail, or by email if the individual has previously agreed to electronic notice. If your practice has out-of-date contact information for 10 or more affected individuals, you must provide substitute notice, such as a conspicuous posting on your website for 90 days or notice in major print or broadcast media.

Notifying the Department of Health and Human Services

All breaches of unsecured PHI must be reported to HHS through its Office for Civil Rights, but the timing depends on scale. This is the split that practices most often get wrong:

• Breaches affecting 500 or more individuals must be reported to HHS without unreasonable delay and no later than 60 days after discovery, on the same timeline as individual notification.
• Breaches affecting fewer than 500 individuals may be logged and reported to HHS on an annual basis. These smaller breaches must be submitted no later than 60 days after the end of the calendar year in which they were discovered, which in practice means a reporting deadline of March 1 each year.

Notifying the Media

If a breach affects more than 500 residents of a single state or jurisdiction, the practice must also notify prominent media outlets serving that area. This media notice follows the same 60-day outer limit and is in addition to individual and HHS notification, not a replacement for either. The threshold is per state, so a breach affecting 600 residents of one state triggers the media requirement for that state even if the total breach is larger and spread across several.

When a Business Associate Discovers the Breach

If the breach happens at one of your vendors, the business associate must notify your practice, generally within 60 days of discovery, though many Business Associate Agreements contractually require much faster notice, often 24 to 72 hours. The covered entity, your practice, then carries the obligation to notify individuals, HHS, and the media as applicable. This is one reason a well-written BAA matters: it determines how quickly you learn about a breach you did not cause but must still report.

The 2026 Proposed 72-Hour Rule: What Is and Is Not Required

This is the area where accuracy matters most, because it is widely misreported. You may have read that HIPAA now requires breach notification within 72 hours. As of mid-2026, that is not accurate. The proposed overhaul of the HIPAA Security Rule, published as a Notice of Proposed Rulemaking in January 2025, would introduce a faster notification requirement for certain security incidents, considerably tighter than the current 60-day individual-notification timeline.

The key word is proposed. That rule has not been finalized and is not yet law. The current, legally binding deadline for notifying affected individuals and reporting large breaches to HHS remains 60 days from discovery. A practice should not act as though a 72-hour federal mandate already exists, because it does not. At the same time, the direction of travel is clear, and practices that build the capability to detect and respond to incidents quickly will be well positioned if and when a shorter timeline becomes law. Treating fast detection as a goal now is sensible. Treating the 72-hour figure as a current legal requirement is not.

State Laws Can Be Stricter Than HIPAA

HIPAA sets a federal floor, not a ceiling. Many states have their own data breach notification laws, and they can impose obligations stricter than the federal rule. Some states require notification in a shorter window than 60 days. Some require notice to the state attorney general in addition to affected individuals. Some define personal information more broadly than HIPAA does, which can create notification duties even where the federal rule alone might not.

When a state law and HIPAA both apply, your practice must satisfy both, and where they conflict, the stricter standard governs. For practices in California, this is a live concern. The state's Confidentiality of Medical Information Act and its broader breach notification statutes add real obligations on top of HIPAA, including exposure to lawsuits from affected individuals. A breach response built only around the federal timeline can still fall short of California law, which is why local knowledge is a genuine asset when planning a response.

What to Do When ePHI Is Compromised: A Step-by-Step Response

When an incident is discovered, a calm, ordered response protects both your patients and your practice. The following sequence reflects how a sound breach response unfolds.

1. Contain the incident first. Before anything else, stop the exposure from continuing. Disconnect an affected device, disable a compromised account, or recall a misdirected message. Containment limits the scope of the breach and counts as mitigation in your later risk assessment.
2. Preserve the evidence. Do not wipe or rebuild affected systems prematurely. Logs, system images, and records of what happened are essential for the risk assessment and for any investigation. Note the date and time of discovery, because that is when your clock starts.
3. Assemble your response team. Bring together the people who need to act: practice leadership, your designated HIPAA security or privacy official, your IT or security provider, and, for a serious incident, legal counsel.
4. Conduct and document the four-factor risk assessment. Work through the factors described earlier to determine whether the incident is a reportable breach. Write down the analysis and the conclusion regardless of the outcome.
5. Identify everyone affected. Determine precisely whose PHI was involved and how to contact them. This drives both the content and the method of notification.
6. Issue the required notifications within the deadlines. Notify affected individuals, HHS, and, where the threshold is met, the media, following the timelines and the content requirements covered below.
7. Remediate the root cause. Fix the underlying weakness that allowed the breach, whether that is a technical gap, a missing control, or a training failure. Many breaches begin with preventable causes such as phishing and unpatched systems, so layered cybersecurity solutions are central to making sure the same incident does not recur. OCR pays close attention to whether a practice corrected the problem.
8. Document the entire response. Retain every record of the incident, the assessment, the notifications, and the corrective action for at least six years.

What a Breach Notification Letter Must Contain

The notification sent to affected individuals is not free-form. The HIPAA Breach Notification Rule requires it to include, in plain language, a description of what happened and the date of the breach and its discovery, the types of PHI involved, the steps individuals should take to protect themselves, what the practice is doing to investigate and mitigate the breach and prevent a recurrence, and contact information for individuals to ask questions. A letter that omits these elements does not satisfy the rule even if it was sent on time.

How to Reduce Both the Risk and the Cost of a Breach

The best breach response is the one you never have to execute, and the second best is one you have prepared for in advance. Two themes run through everything above, and both are within a practice's control.

The first is encryption. Because the entire rule turns on the word unsecured, properly encrypted PHI that is lost or stolen generally does not trigger notification at all. Encrypting data on laptops, mobile devices, backups, and in transit is the most powerful single step a practice can take to shrink its breach exposure. The second is preparation. A practice that has a written incident response plan, knows who is on its response team, and has rehearsed its recovery process will respond faster, more calmly, and more defensibly than one improvising under pressure. Embedding breach readiness into ongoing compliance and risk management services keeps the plan current rather than letting it gather dust.

GlobeVM is a managed IT and cybersecurity firm serving small and mid-sized businesses across the Los Angeles area, with CCSP-certified expertise and a practical focus on HIPAA compliance. That local presence matters here, because a California practice must satisfy both the federal HIPAA Breach Notification Rule and stricter state obligations, and a response plan built for one without the other leaves a gap.

If you want confidence that your practice could respond correctly to a breach before one ever happens, a breach-readiness review with a knowledgeable local partner is the most direct way to find the gaps in your plan while there is still time to fix them.