A breach is defined as the impermissible acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of the PHI. When there is a breach of unsecured PHI, covered entities, such as physicians, and business associates, where applicable, must provide appropriate notification. Given the rising frequency of breaches, it is increasingly important to understand notification requirements should a breach occur.  

Notification Requirements  

In the event of a breach of unsecured PHI, covered entities must provide appropriate notification as outlined in the table below.  

Who Must be Notified 

Method of Notification 

Timeframe for Notification 

Information Included in Notification 

Individuals affected

First-class mail or email, if individuals have agreed to such notification electronically 

Without unreasonable delay and no later than 60 days after discovery of the breach 
  • Brief description of breach
  • Description of types of information involved in breach
  • Steps individuals should take to protect themselves
  • Steps covered entity is taking to investigate and mitigate the situation and prevent future breaches
  • Contact information  

Media, if the breach affects more than 500 individuals in a state or jurisdiction 

Likely via press release to media outlets 

Without unreasonable delay and no later than 60 days after discovery of the breach 

Same information as required for notifying individuals affected 

Secretary 

Electronically completing form on the Breach Notification Portal 
  • If the breach affects 500 or more individuals, without unreasonable delay and no later than 60 days after discovery of the breach 
  • If the breach affects less than 500 individuals, no later than 60 days after the end of the calendar year during which the breach was discovered  

See the Breach Portal Sample Form for required information to submit via the portal 

 

If the breach occurred at or by a business associate, the business associate must notify the covered entity. Refer to the HHS webpage, Breach Notification Rule, for more details on notification requirements. 

Administrative Requirements  

Covered entities and business associates, where applicable, are responsible for demonstrating that they have met all notification requirements following a breach. Additionally,  

covered entities must have written policies and procedures in place on breach notification. They must further train employees and enforce sanctions against workforce members who do not comply with these policies and procedures.  

Exceptions 

As outlined in the Rule, there are three situations which are excluded from the definition of breach: 

  • When a workforce member or authorized representative of a covered entity or business associate unintentionally acquires, accesses, or uses PHI, provided this was done in good faith, within the scope of their authority, and does not lead to further impermissible use or disclosure under the Rule
  • When an authorized person at a covered entity or business associate inadvertently discloses PHI to another authorized person at the covered entity or business associated, or an organized health care arrangement that includes the covered entity, as long as there is not further impermissible use or disclosure of the information
  • When PHI is impermissibly disclosed to an unauthorized person, but the covered entity or business associate has a good faith belief that the person could not reasonably retain the information.  

Outside of these exceptions, an impermissible use or disclosure of PHI is deemed a breach unless a covered entity or business associate performs a risk assessment and, through doing so, can demonstrate that there is a low probability that the PHI has been compromised. The risk assessment must take into account the following factors: 

  • The scope and nature of the PHI involved, including what identifiers were present and the potential for re-identification
  • The unauthorized individual who accessed or received the PHI
  • Whether the PHI was in fact obtained or viewed
  • The degree to which any risk to the PHI has been reduced or mitigated 

Covered entities and business associates may provide breach notifications without first conducting such risk assessment to determine the likelihood that PHI was compromised. 

Additional Resources 

Review the HHS webpage, Submitting Notice of a Breach to the Secretary, for more information on how to notify the Secretary of a breach involving 500 or more or less than 500 individuals. 

Disclaimer:  
 
The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired.  

Last Updated

12/19/2025

Source

American Academy of Pediatrics