In 2017, Presence Health paid $475,000 to the Office for Civil Rights after a single mistake: they waited too long to notify patients about a breach affecting roughly 836 individuals. Not a massive hack. Not a coordinated attack. Paper records containing PHI were found missing from an operating room, and the organization simply didn't tell anyone fast enough. That delay — just a few weeks past the 60-day deadline — turned a manageable incident into a six-figure settlement.
So what is the purpose of the HIPAA breach notification rule, exactly? It exists to make sure patients find out when their protected health information has been compromised — and that they find out quickly enough to do something about it. If you work in healthcare, health IT, or any organization that handles PHI, understanding this rule isn't optional. It's the guardrail between a contained incident and a regulatory catastrophe.
What Is the Purpose of the HIPAA Breach Notification Rule?
The breach notification rule, codified under 45 CFR Part 164, Subpart D, has one core purpose: to ensure that individuals, the Department of Health and Human Services (HHS), and in some cases the media are notified when unsecured PHI is breached. It shifts the power dynamic. Without it, organizations could quietly bury incidents while affected patients remained oblivious.
The rule applies to covered entities — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically — as well as their business associates. If you touch PHI, the breach notification rule touches you.
The Three Audiences You Must Notify
The rule doesn't just say "tell someone." It specifies exactly who must be told and when:
- Affected individuals: Written notice within 60 days of discovering the breach. If you don't have current contact info for 10 or more people, you must post a conspicuous notice on your website or alert major media outlets.
- HHS / OCR: If the breach affects 500 or more individuals, you must notify HHS simultaneously — within 60 days. For breaches affecting fewer than 500, you can report annually, but the reports still must be filed.
- Media: If 500 or more individuals in a single state or jurisdiction are affected, you must notify prominent media outlets serving that area. This is the provision most organizations don't know about until it's too late.
Why Congress Mandated This Rule
Before the HITECH Act of 2009 added the breach notification requirements, there was no federal obligation for a covered entity to disclose a PHI breach. A hospital could lose a laptop containing 50,000 patient records and face no legal pressure to tell anyone. Patients would never know their Social Security numbers, diagnoses, or treatment histories had been exposed.
Congress recognized that silence was a form of harm. When patients don't know their data has been compromised, they can't freeze credit, watch for identity theft, or question suspicious medical bills. The breach notification rule exists to close that gap — to give individuals the information they need to protect themselves.
It also creates accountability. Every breach reported to HHS for 500+ individuals lands on the HHS Breach Portal — commonly called the "Wall of Shame." That public exposure creates a powerful incentive for organizations to invest in prevention rather than scramble through notification.
The $4.3 Million Mistake: What Happens When You Ignore It
I've seen organizations treat the breach notification rule like a suggestion. It isn't. OCR has made that painfully clear through enforcement.
In 2019, the University of Texas MD Anderson Cancer Center lost a court battle with HHS over three breaches involving unencrypted devices — a stolen laptop and two lost USB drives. The administrative law judge upheld $4.3 million in civil monetary penalties. A key issue: MD Anderson's delayed and inadequate response compounded the severity of the violations. The organization argued the data wasn't truly "unsecured," but OCR disagreed.
Presence Health's $475,000 settlement, mentioned earlier, was specifically about untimely notification — the first enforcement action of its kind solely targeting the 60-day notification deadline. The message from OCR was unmistakable: timing matters as much as transparency.
What "Unsecured PHI" Actually Means
The breach notification rule applies specifically to unsecured PHI. If you've rendered PHI unusable, unreadable, or indecipherable through methods specified by HHS — primarily encryption meeting NIST standards or physical destruction — then the notification requirements don't apply, even if a breach occurs.
This is the single most effective safe harbor in HIPAA. Encrypt ePHI at rest and in transit, and a stolen laptop becomes a hardware loss instead of a reportable breach. I've watched this distinction save organizations millions of dollars and months of regulatory headaches.
The 60-Day Clock Starts Sooner Than You Think
Here's where organizations consistently get burned. The 60-day notification window doesn't start when your CEO learns about the breach. It starts when any member of your workforce — or any agent acting on your behalf — first discovers it or reasonably should have discovered it.
That means a night-shift medical records clerk who notices files in the wrong patient's folder has triggered the clock. A business associate's IT admin who spots unauthorized access to a database has triggered the clock. If your incident response process takes three weeks just to escalate to leadership, you've already burned half your window.
This is exactly why I push organizations to train every employee on what a potential breach looks like and where to report it internally. If your frontline staff doesn't recognize a breach, your compliance team can't respond to one. Our First 60 Minutes: Incident Response training walks teams through exactly what those early minutes and hours should look like — because that's when the most consequential decisions get made.
Breach Notification vs. Breach Prevention: You Need Both
The breach notification rule is a response mechanism. It assumes something has already gone wrong. But the pattern I see in OCR enforcement actions is that notification failures rarely exist in isolation. They sit alongside weak risk analyses, poor access controls, absent encryption, and undertrained staff.
Take phishing. According to HHS, email-related breaches remain among the most common vectors for unauthorized PHI access. An employee clicks a malicious link, credentials are harvested, and threat actors access ePHI — sometimes for weeks before detection. The breach notification obligation kicks in at discovery. But the real failure happened when that employee couldn't distinguish a phishing email from a legitimate one.
That's why workforce training isn't a box-checking exercise. It's a frontline control. Our phishing training for healthcare workers is built around real healthcare-specific attack scenarios — because generic cybersecurity awareness doesn't cut it when attackers are targeting patient portals and insurance claims systems.
What a Proper Breach Notification Includes
The rule doesn't just require you to notify — it prescribes what the notification must contain. Miss any of these elements and OCR may find your notification deficient:
- A description of the breach, including the types of information involved (diagnoses, Social Security numbers, insurance IDs, etc.)
- The steps individuals should take to protect themselves — credit monitoring, fraud alerts, changing passwords
- What your organization is doing to investigate, mitigate harm, and prevent recurrence
- Contact information, including a toll-free number for individuals to ask questions
Vague language like "some of your information may have been accessed" doesn't meet the standard. OCR expects specificity. Patients deserve it.
The Four-Factor Risk Assessment You Must Conduct
Not every impermissible use or disclosure of PHI qualifies as a breach requiring notification. The rule includes a risk assessment with four factors to determine whether notification is necessary:
- Nature and extent of the PHI involved: Does it include direct identifiers? Clinical information? Financial data?
- Who received or accessed the information: Was it another covered entity bound by HIPAA, or an unknown external party?
- Whether the PHI was actually acquired or viewed: A misdirected fax returned unopened carries different risk than one read by the wrong recipient.
- Extent of mitigation: Did you obtain assurances that the information was destroyed or not retained?
If, after analyzing all four factors, you determine there's a low probability that PHI was compromised, you may not need to notify. But document everything. OCR will second-guess conclusions that aren't backed by a thorough, written analysis.
Your Breach Notification Readiness Checklist
I've audited organizations that had pristine privacy policies on paper but no operational capacity to actually execute a breach notification. Here's what readiness looks like in practice:
- A written incident response plan that names specific roles and escalation paths — not just "notify the privacy officer"
- Template notification letters pre-approved by legal counsel, ready to customize and send
- A media communication plan for large-scale breaches
- Workforce training that ensures every employee knows how to recognize and report a potential breach
- Encryption deployed across all devices and transmission channels that handle ePHI
- Relationships with forensic investigators and breach counsel established before you need them
If any of those pieces are missing, you're not prepared. You're hoping. And hope is not a compliance strategy.
Build the Muscle Before the Crisis Hits
The purpose of the HIPAA breach notification rule comes down to one principle: people have a right to know when their health information has been compromised. Your organization's job is to tell them — quickly, completely, and honestly.
The organizations that handle breaches well aren't luckier. They're better prepared. They've trained their workforce, tested their response plans, and built notification into their operational DNA. If your team hasn't rehearsed a breach scenario in the last 12 months, start there. Explore our full training catalog to build the skills your people need before the next incident puts them to the test.