HIPAA Breach Notification Rule: Reporting Timeline, OCR Process, and Penalty Structure
Group COO & CISO
Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments
HIPAA Breach Notification Rule: Reporting Timeline, OCR Process, and Penalty Structure
The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D, §§164.400-164.414) is the playbook for what happens after unsecured protected health information has been acquired, accessed, used, or disclosed in violation of the Privacy Rule. Created by §13402 of the HITECH Act and finalised in 2013, the rule replaced a patchwork of state breach laws with a federal floor — though state laws often layer additional requirements on top. For covered entities and business associates, getting the breach response wrong produces both regulatory penalties and the more expensive cost of media coverage and customer attrition.
This article walks through the §164.402 breach definition and four-factor risk assessment, the notification timelines and channels under §§164.404-164.408, the business-associate obligation under §164.410, the OCR investigation process, and the penalty structure that determines settlement amounts. The figures and case examples are drawn from the OCR Breach Portal and published resolution agreements.
The Definition of Breach: §164.402's Four-Factor Test
Under §164.402, a breach is "the acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the protected health information." The 2013 HITECH Final Omnibus Rule introduced a critical change: any impermissible use or disclosure is presumed to be a breach unless the covered entity or business associate can demonstrate a low probability that PHI was compromised through a four-factor risk assessment.
- Nature and extent of PHI involved — types of identifiers, sensitivity (mental health, HIV status, substance abuse), likelihood of re-identification
- Unauthorised person who used or received PHI — was the recipient another covered entity bound by HIPAA? An employee of a competitor? An external attacker?
- Whether the PHI was actually acquired or viewed — for example, a stolen encrypted laptop that the thief never decrypted
- Extent to which the risk has been mitigated — for instance, written assurances of destruction obtained from an unauthorised recipient
If the four-factor analysis demonstrates a low probability of compromise, the event is not a breach and no notification is required. The analysis must be documented contemporaneously — OCR routinely requests it during investigations. The 2013 rule shifted the default: pre-2013, the entity had to show a "significant risk of harm" to trigger notification; today, the entity must show a low probability of compromise to avoid it.
The Encryption Safe Harbour
The most valuable single mitigation in the rule is the §164.402 reference to "unsecured protected health information" — defined by HHS guidance as PHI not rendered unusable, unreadable, or indecipherable to unauthorised persons. The 2009 HHS Guidance to Render Unsecured PHI Unusable establishes that ePHI encrypted to NIST-approved standards (AES-128 or stronger, FIPS 140-2/140-3 validated) is not unsecured PHI. A lost or stolen device with verifiable encryption is not a breach. Backups encrypted at rest are not breached when a backup vendor is compromised.
This is why the cost-benefit math on encryption is overwhelming. AES-256 at rest is a multi-million-dollar de-risk on an annual basis, achievable through native cloud KMS integration with effectively no engineering effort.
Need expert help with hipaa breach notification rule?
Our cloud architects can help you with hipaa breach notification rule — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
Individual Notification: §164.404
If the event is a breach, the covered entity must notify each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery. "Discovery" is the date the breach is known, or by exercising reasonable diligence would have been known, by any workforce member other than the person who committed the breach (§164.404(a)(2)).
The notification must be by first-class mail to the last known address of the individual, or by email if the individual has agreed to electronic notice. The notice must include: a brief description of what happened; types of unsecured PHI involved; steps the individual should take to protect themselves; what the entity is doing to investigate, mitigate, and prevent recurrence; and contact information.
If the entity has insufficient or out-of-date contact information for 10 or more individuals, substitute notice is required: a posting on the home page of the entity's website for at least 90 days, or notice in major print or broadcast media. A toll-free number that remains active for at least 90 days must accompany substitute notice.
Media and HHS Notification: §§164.406, 164.408
For breaches affecting 500 or more residents of a state or jurisdiction, the entity must additionally notify prominent media outlets serving that state or jurisdiction, contemporaneously with individual notification (§164.406). The same threshold triggers immediate notification to the HHS Secretary (§164.408(b)) — submitted via the OCR breach reporting portal at ocrportal.hhs.gov.
For breaches affecting fewer than 500 individuals, the entity must maintain a log and submit it to HHS within 60 days of the end of the calendar year (§164.408(c)). The OCR breach portal — colloquially the "Wall of Shame" — publishes every breach affecting 500+ individuals with the entity name, breach type, location of breached information, and number of affected individuals. Once an entry appears on the public portal, an OCR investigation typically follows within 6-12 months.
Business Associate Notification: §164.410
Business associates have a separate notification obligation: report the breach to the affected covered entity without unreasonable delay and no later than 60 calendar days after discovery. The BA is not required to notify affected individuals (the covered entity does that), but the BA's clock starts on its own discovery, and that discovery is imputed from any workforce member.
In practice, BAA terms almost always shorten this. Most enterprise BAAs require the BA to notify the covered entity within 24-72 hours of discovery, because the covered entity's 60-day individual notification clock starts on the BA's discovery — every day the BA waits is a day the covered entity loses. A BA that takes 60 days to report leaves the covered entity zero time to investigate, draft notice, print, and mail to potentially millions of individuals. Negotiating breach-notification timing is one of the most consequential parts of any BAA.
OCR Investigation Process
When a breach affecting 500+ individuals is reported via the breach portal, OCR opens a compliance review under its §13411 HITECH authority. The investigation typically follows a standard sequence:
- Letter of Authorisation — OCR opens the case and sends an initial document request, usually with a 30-day production deadline
- Document review — OCR analysts review the entity's risk analysis, policies and procedures, BAAs, audit logs, and breach response documentation
- Site visit or follow-up RFI — depending on findings, additional document requests or an on-site review
- Findings letter — OCR communicates preliminary findings, often identifying specific control failures and policy gaps
- Resolution — most cases resolve through a Resolution Agreement and Corrective Action Plan; a smaller subset are referred for civil money penalty proceedings before an HHS administrative law judge
The Corrective Action Plan typically runs two to three years and requires monthly or quarterly progress reports to OCR. CAP obligations have been the source of significant follow-on engineering investment in many resolved cases.
The Civil Money Penalty Tier Structure
The HITECH Act created a four-tier penalty structure at 45 CFR §160.404, indexed annually for inflation. As of the 2024 inflation adjustment (89 FR 80055), the per-violation amounts are:
| Tier | Culpability | Per-violation range | Annual cap (per identical provision) |
|---|---|---|---|
| 1 | Did not know and would not have known with reasonable diligence | $137 - $68,928 | $2,067,813 |
| 2 | Reasonable cause, not wilful neglect | $1,379 - $68,928 | $2,067,813 |
| 3 | Wilful neglect, corrected within 30 days | $13,785 - $68,928 | $2,067,813 |
| 4 | Wilful neglect, not corrected | $68,928 - $2,067,813 | $2,067,813 |
Resolution Agreements typically settle below the maximum, but the leverage is real. Anthem Inc. paid $16 million in 2018 for a breach affecting 78.8 million individuals. Premera Blue Cross paid $6.85 million in 2020. Excellus Health Plan paid $5.1 million in 2021. Banner Health paid $1.25 million in 2023. The aggregate disclosed settlements over OCR's enforcement history exceed $144 million as of the most recent HHS reporting.
How Opsio Helps
Opsio supports breach response, OCR investigation defence, and post-breach remediation for covered entities and business associates. Our HIPAA risk analysis include four-factor risk-assessment facilitation, contemporaneous documentation, HHS portal submission support, OCR document-request response, and the technical remediation that closes the underlying control gap. We pair the work with managed detection and response services for ongoing breach prevention and with SOC security services for the 24x7 monitoring that detects events before they spread.
About the Author
Group COO & CISO at Opsio
Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.