Breach Notification Procedure¶
HIPAA Rule: §164.400–414 (Breach Notification Rule)
Purpose¶
Define the process for determining whether a security incident constitutes a reportable breach and for notifying affected parties within required timeframes.
What Constitutes a Breach¶
A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA that compromises the privacy or security of the information.
Not a breach (safe harbors): - PHI that was encrypted at rest and in transit, where the decryption key was not also compromised - Unintentional acquisition by an authorized workforce member acting in good faith
Breach Assessment (4-Factor Test)¶
Evaluate each incident using HHS's 4-factor risk assessment:
- Nature and extent of PHI involved — types, how much
- Who accessed or used the PHI — known vs unknown person
- Whether PHI was actually acquired or viewed — or just at risk
- Extent to which risk has been mitigated — e.g., credential recovered
If probability of compromise is low → not a reportable breach. If probability is unclear or significant → treat as reportable.
Notification Timelines¶
| Recipient | Timeline | Requirement |
|---|---|---|
| Affected individuals | Within 60 days of discovery | Written notice |
| HHS | Within 60 days (if ≥500 individuals) | HHS online portal |
| HHS (annual log) | Within 60 days of calendar year end (if < 500 individuals) | Log submission |
| Media (if ≥500 in a state/jurisdiction) | Within 60 days | Press release |
| Covered Entity (if we are a BA) | Without unreasonable delay, within 60 days | Per BAA terms |
Notification Content (Individuals)¶
Breach notices to individuals must include:
- Description of the breach
- Types of PHI involved
- Steps taken to mitigate harm
- Steps individuals can take to protect themselves
- Contact information for questions
Escalation Path¶
Incident detected
│
▼
Incident Commander notified (within 1 hour)
│
▼
Legal / Compliance notified (within 4 hours for P1/P2)
│
▼
4-Factor breach assessment (within 24 hours)
│
├── NOT a breach → document and close
│
└── IS a breach → notify within 60 days
Documentation¶
All breach determinations (including "not a breach" conclusions) must be documented and retained for 6 years.